Auth0 Home Blog Docs

User creation through the Management API does not respond with detailed error messages for invalid passwords

authentication_api
management-api
password
password-strength
password-policy

#1

Situation: user enters a weak password that fails the defined password policy.
Compare the API response from the Management API:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "PasswordStrengthError: Password is too weak",
  "errorCode": "auth0_idp_error"
}

to the API response from the Authentication API:

{
    "name": "PasswordStrengthError",
    "message": "Password is too weak",
    "code": "invalid_password",
    "description": {
        "rules": 
            {
                "message": "At least %d characters in length",
                "format": 
                    8
                ],
                "code": "lengthAtLeast",
                "verified": true
            },
            {
                "message": "Should contain:",
                "code": "shouldContain",
                "verified": false,
                "items": 
                    {
                        "message": "lower case letters (a-z)",
                        "code": "lowerCase",
                        "verified": true
                    },
                    {
                        "message": "upper case letters (A-Z)",
                        "code": "upperCase",
                        "verified": false
                    },
                    {
                        "message": "numbers (i.e. 0-9)",
                        "code": "numbers",
                        "verified": false
                    }
                ]
            }
        ],
        "verified": false
    },
    "policy": "* At least 8 characters in length\n* Should contain:\n * lower case letters (a-z)\n * upper case letters (A-Z)\n * numbers (i.e. 0-9)",
    "statusCode": 400
}

I have no idea why the Management API provides almost no useful information. I actually need to use the Management API because it is the only way I can create a user while bypassing email validation (setting email_verified: true in the user creation request).

Please fix this.


#2

I have submitted this request to our engineering team to review. Note, we cannot commit to whether this will be implemented, or any ETA.


#3