ManagementAPI password validation - no details
majugurci opened this issue · 3 comments
Description
I have the following situation. Only application administrators can add new users. So I have disabled signups in database connection.
Users are created through web app form -> java server -> auth0 server. For this I'm using ManagementAPI (as shown here in example. It works ok, users are added, validations are run. But there is a problem with password strength validation. It is working, but we cannot know which of the conditions have failed. Auth0API only throws APIException with the following message: "Request failed with status code 400: PasswordStrengthError: Password is too weak".
I have tried using AuthAPI to create users as shown in example but it gives me the following error: "Request failed with status code 400: public signup is disabled". I guess this is expected since we have disabled signups in database connection. Just for the test I have enabled signups and the API is giving appropriate error messages, e.g.: "Request failed with status code 400: Contain at least 3 of the following 4 types of characters: lower case letters (a-z), upper case letters (A-Z), numbers (i.e. 0-9), special characters (e.g. !@#$%^&*)". Using exception.getValue("description") I can get which conditions have failed.
I would expect that ManagementAPI also returns details about password verification, but it is not.
Reproduction
Create the user through ManagementAPI with weak password and you will not get validation details, only generic message. example
Create the user through AuthAPI and validation details will be nicely returned. example
Environment
Library version: 1.20.0
Platform: Quarkus 1.7.0.Final
@majugurci thanks for the detailed writeup.
First, let me clarify that what you're seeing when using the AuthAPI is the correct behavior. If the sign up is disabled on the connection, the Auth API will NOT let you sign up new users to that connection/realm. The details of the password complexity, when present in the exception, are being handled by the SDK.
Unfortunately, I've tested and that's only available for the Authentication API. The "create user" endpoint of the Management API doesn't return the details. This is the error response, and matches what the SDK is returning to you:
{
"statusCode": 400,
"error": "Bad Request",
"message": "PasswordStrengthError: Password is too weak"
}
I guess if you own that web app form and know what connection you are creating the user into, you should know what is the password policy for that database connection. If you don't, and have read access to the connections, you could pull that connection object and check the policy level before setting up and showing the form. There's a sample of the connection object here, and you can learn about the different level requirements here.
If you want to file a request for the Management API to return that information, as the Authentication API does, you can do that in the feedback form of the Auth0 customer center.
Hope that helps!
Hi,
we know the password policy, but it doesn't make sense to re-implement it as we never know if implementation details would change some day (e.g. some character is considered special or not).
Since the signup form is in react app I have found that Auth0's Lock is using library called password sheriff. Currently I'm using it to check password requirements. It gives nice explanation if there is something wrong with the password. It's only client side but it's better than telling the user that password does not match criteria without explanation.
I could not find the feedback form at the provided link so I have sent a request here.
I agree it should be dynamically obtained. I'm not familiar with password-sheriff nor the level of support of that library. But if you ever run into trouble, you can always pull the connection object using the management API if you need to. I'll close this issue now. Thanks for submitting the product feedback.