Hi @phuong.le ,
I further checked that I realized that the change password script will fire once a user click on the confirmation link. Thus, you will not see any logs from the consol.log prints, as the user is not getting the link.
But it doesn’t mean the script is not validated at the moment of sending the request to
https://subdomain.auth0.com/dbconnections/change_password?client_id=iALd....VR89&email=m.....ka@okta.com&connection=t...d
(I received 400 error code when calling the above URL while not having the appropriate custom database script set on my auth0 tenant).
I noticed that the ‘Change Password’ script for your custom database intends to send a new password plainly (without hashing it first).
Could you please verify if your custom database endpoint, which is responsible for receiving the new passwords, accepts plain text? Maybe you need to hash it first (and implement hashing similar to what is suggested in our example Change Password script in this doc)?