Auth0 force password reset after first login
Recently, I got an opportunity to work with one of the leading cloud-based IAM Solutions called Auth0, Which is owned by Okta. When I evaluate this solution, I feel like by following the documentation and with the Auth0 SDK it is really easy for developers to integrate their applications with this. Even though this is one of the leading Solutions and it contains many wonderful features, I found One of the very common requirements is missing in this.
It is really common to see when an end-user will be forced to change the password during its initial login. Especially when the user account is being created by an administrator. For example, When you join a new company your IT department will be created an account for you and send a temporary password, Which is needed to be changed on your first login. This scenario is supported by most of the IAM solutions, But it is not available in the Auth0 out of the box.
However, Thanks to the Auth0 Actions you can customize the behaviors of the product by writing extensions to work with external systems as well. These actions are written using Javascript and Auth0 documents providing a solid foundation to understand them.
The suggested solution to change the password on the initial login work is as follows.
- When creating the user save an attribute inside the user_metadata (or in app_metadata) to identify whether the user needs to change the password on the initial login. (In this case isResetPasswordOnFirstLogin)
- In login actions, Add a post-login action to check whether that flag is enabled.
- If enabled redirect the user to a website created for changing passwords, which will call Auth0 management API to update the user’s password and redirect back to auth0 to continue the flow.
- After that user will have to use the new password from the next login onward.
My sample implementation contains mainly 3 parts.
- Auth0 Acton to check the flag and set necessary user metadata.
- Simple ReactJs frontend application to change passwords.
- Springboot app to call auth0 management API, validate and update user’s password.
Auth0 Action
In this action, it first checks whether the isResetPasswordOnFirstLogin flag exists and is true, If that condition is fulfilled, then that action will generate a UUID, Which will be saved in user metadata(After hashing) with the created timestamp. Then the user will be redirected to the change password website. Auth0 actions support user redirection to 3rd party applications and then continue the flow after the callback. It supports many features such as passing data in form of JWT…etc. And also, Since this is javascript, It is possible to install NPM packages, Which comes in handy when developing custom flows.
ReactJS Frontend Application to change password
This is a really simple web application that allows the user to enter the new password and call the backend to update the user with a new password.
Once the backend is successfully updated the password. The app will redirect the user to the auth0 action with /continue endpoint. this is required to pass the state parameter, Which is the one identifying which transaction this redirection belongs to.
Please note that I did not use any CSS or Validations in this case, It is essential to have all security measures in place in case decided to move this solution to a real-world scenario.
Spring-boot Application
This holds all the business logic to validate the password reset hash, and new password as well as if all looks good then update the user with the new password and revert all user_metadata set with Auth0 Action initially. This used Auth0 java SDK, Which is really easy to use. Then there is an application.yaml file to be configured with needed credentials and URLs to connect with Auth0 Management API. Again, Please note that this app also needs to have all necessary security measures present to make it bulletproof.
I have attached the sample code to GitHub and feel free to refer to them.
There are multiple solutions to address this scenario, And one of the common answers I found on the internet is to create a password reset ticket alongside user creation. But this makes users confused with multiple e-mails and not a pleasant user onboarding experience. And also, Since auth0 doesn’t have a portal to do the user self-service ATM, it is common to implement some UI to manage that. This feature can be packed into that which will be much more convenient to manage.
Happy coding…..!
