I am using Pulumi to create Auth0 resources, and it doesn’t seem to have support for Market Place Integrations. Specifically I need to add the Password Rotation integration as a post-login Action to enforce a login expiry duration.
Thanks. I’m curious though that this example differs quite a lot from this similar one a few months ago for Password Rotation. The email request and redirect are quite different. Could you explain the differences and why we might use one over the other?
The Sample Password Rotation Action knowledge solution that you shared uses the Management API to redirect the user to the password change ticket URL. In this flow, the user is immediately prompted to reset their password.
This is different from the example I shared in my first reply, which uses the Authentication API to send a password change email to the user. Additionally, it checks whether the user’s last password change was more than 30 days ago to trigger the password change flow. In this flow, the user must go to their email and click on the link to reset their passwords.
Also, I just wanted to remind you that these action scripts are examples. You’ll need to customize them to fit your specific requirements for tracking when to prompt users to rotate their passwords.
Thanks Rueben, I’m using Management API to redirect to change password ticket URL.
Is there a way to let the user know why they’re being prompted to change their password? The following code happens in post-login action
exports.onExecutePostLogin = async (event, api) => {
// ... code to determine password age ...
if (passwordTooOld) {
const { ManagementClient } = require('auth0');
const client = new ManagementClient({
domain: DOMAIN, clientId: CLIENT_ID, clientSecret: CLIENT_SECRET,
});
console.log('Password too old, reset required');
// #### how to let user know their password is too old?
const r = await client.tickets.changePassword({
user_id: event.user.user_id,
client_id: CLIENT_ID,
});
api.redirect.sendUserTo(r.data.ticket);
}
}
and the flow from user’s perspective is that they authenticate with password, and immediately are taken to Change Password page to enter a new password, but with no context as to why.
Also after the password is changed in this flow, how do I redirect back to the original login page?
Maybe you could consider redirecting twice. Once to a page where you inform the user about the expired passwords, and then a second time to the password change URL.
You would need to send the user back to the /continue endpoint with the state.
For example: https://{yourAuth0Domain}/continue?state=abc123