Will user password update check if new password complies with password rules?

I am trying to create a page in a Regular Web Application to ask the user to reset his/her password. The following are my questions:

  1. I presume I need to create my own page for this and there is no hosted page for this.
  2. If yes, I believe I need to use the Management API (Auth0 Management API v2) to update the password.
  3. If yes, will the patch command check if the new password complies with the password policy?
1 Like

The Management API v2 PATCH Users endpoint does check if the new password complies with the password policy, and will respond with a 400 if the new password does not meet the password policy:

  "statusCode": 400,
  "error": "Bad Request",
  "message": "PasswordStrengthError: Password is too weak"

In saying that, we recommend using our built-in password reset flow, which uses the Auth0 hosted password reset page:

Thanks @prashant. If I use https://tenant_name.auth0.com/dbconnections/change_password then it sends a email reset link. However, we want the user to reset the password immediately. How do I enable the hosted page to be shown? (I have customized in the “Hosted Pages” section).

Correct, that is how our Change Password flow works. This takes into account security considerations, and greatly reduces the risk of malicious users resetting the password of another user (which can happen if you allow the password to be reset immediately). We do not recommend allowing users to reset passwords passwords immediately - I highly recommend using our Change Password flow.

Thanks @prashant. I will reevaluate our requirements based on your suggestion.