Updating user email breaks auth0-angular user session tokens

We have an Angular app. using v1.4.1 of auth0-angular (i’ll be upgrading this week to the latest). We can create a user, and log in as a user just fine. There is however no way to edit user profile attributes like name, nickname, given_name, family_name or even email address.

I created a simple API endpoint to securely send requests to update this information and pass them off to the Auth0 management API. If I want to update given_name or family_name it works fine. However, the problem comes when I try to update an email address.

Example. I’m logged in, and I update the given_name to “John”. I refresh the page, and the session tokens that the auth0-angular library uses recognize me as being authenticated the page loads and the name “John” shows in our NGRX state store. I change it again to “James” and do the same thing, and the change is again present in NGRX. Working as expected.

However if I try to pass an email address to the management api on a user update and then refresh the page to see if the change took, the token seems to now be invalid, and I am forced to log in again. Is there no way to change the email address without expiring existing tokens and breaking the user experience?

Hi @openbridge-james and welcome to the community!

When you refresh the page of your Angular app, by default the tokens are lost due to the in-memory storage being reset. Because of this, Angular does a silent auth request to fetch new tokens. In order for the silent auth request to succeed, there needs to be a valid Auth0 session cookie. When you change the user’s name, the session cookie is not invalidated, and therefore a new ID token is returned. However, when you change the user’s email, the Auth0 session is invalidated, and the user needs to re-auth. From what I understand, this is by design for security reasons.

So tl;dr no, there is no way to maintain this Auth0 session through a change in email address.

However, if you are simply using the access token to call an API, keep in mind the access token does not expire, it simply is removed on refresh. Therefore, you could continue to use that access token even after the email is updated, so long as the user does not refresh the app.

I hope that helps and I’m sorry there is no good way to resolve this. Please let me know if you have further questions.