Unable to reset password via Management API

I’ve been following Change Users' Passwords but keep getting a 400 error:

"{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"The connection does not exist.\",\"errorCode\":\"inexistent_connection\"}"

My request is as follows:

"{\"password\":\"a1! xxxxxxx\",\"connection\":\"Username-Password-Authentication-Custom\"}"

and the connection ‘Username-Password-Authentication-Custom’ exists and is enabled for this application.
The client Id and client secret for this application are used to fetch the bearer token before this call, and that returns a valid token.

This is the calling code for password reset. _domain matches the Domain value for the application.

HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Accept.Clear();
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Add("Authorization", "Bearer " + await GetAuth0ManagementToken());

string json = JsonConvert.SerializeObject(data);
string url = $"https://{_domain}/api/v2/users/auth0|{userId}";

var resp = await client.SendAsync(new HttpRequestMessage(new HttpMethod("PATCH"), url)
{
	Content = new StringContent(json, System.Text.Encoding.UTF8, "application/json")
});

Further to this…

If I leave out the connection, it works, but updates the wrong connection
(which is not what the docs say: “If you are updating email_verified, phone_verified, username or password you need to specify the connection property too.” - Auth0 Management API v2).

If I specify the wrong connection by name it works.

Given the above, I assume my scopes are correct for updating a password.

I’ve verified the client is enabled in the connection I want to use as get Connections (using Postman with the same mgmt token) includes:

"name": "Username-Password-Authentication-Custom",
"enabled_clients": [ "ZSu2I00dbI0...",  ] // the client in my management token request

I also tried the password update using the Postman client, and got the same result.

I’m running out of ideas here, so some suggestions would be appreciated.

Ok - so overall I’ve come to establish that the way our account has been set up is unwise (fwiw - it was setup before I was with the org). We’ve essentially got two connections both returning user_id’s of type auth0|xxx, which makes no sense if the word connection is replaced with identity provider. I’m fixing this by creating a new tenant and migrating users (harder than it sounds, especially for fields like given_name).

But as a note to auth0 - I appreciate this is poorly set up, but there’s not much in the API itself that enforces this or even points a dev towards that. For instance, if a connection really is synonymous with an IdP then could creating a user with the same user_id (even from a different connection) fail? I don’t know if there are scenarios where that would be legit - if so even some kind of warning in the logs?

Aarg… but the nightmare continues.

I can’t import the users into the new tenant because their emails exist.
But I can’t change their emails because calls to UpdateAsync with Connection = “Username-Password-Authentication-Custom” returns “'The connection does not exist”.

Auth0 - your docs say “If your are updating email or phone_number you need to specify the connection and the client_id properties.” With that information why can’t they find the right user?

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?