Password change deletes sessions?
-
I can't find it documented anywhere, but changing a user's password seems to delete all of their sessions. This makes sense, but is there a way to change the password while keeping the user logged in?
Details: I initially create users with a random and immediately forgotten password (since password is a required field), and have them log in the first time with a passwordless login code I email them. Once they're logged in, I allow them to set their initial password via my application server, which uses
PATCH /api/user/{userId}
with an API key. This seems to invalidate the user's refresh token, which I'd like to avoid. Perhaps there's a way to change the user's password with their own access token that doesn't delete that session? Alternatively, I could have the server perform a login using the new password and return new tokens, but it would be nice to avoid that complexity. -
@trevorr Hiya!
It is a setting on the tenant, the
Refresh token revocation
field.It's documented here: https://fusionauth.io/docs/v1/tech/core-concepts/tenants#refresh-token-settings (look for a couple of checkboxes, and uncheck 'on password change'. There's a corresponding setting in the Tenant APIs: https://fusionauth.io/docs/v1/tech/apis/tenants :
tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged
.Thanks for using FusionAuth. Hope FitFinder is going well!
-
-
@dan Thanks!
For some reason, Google doesn't show either of those pages for "fusionauth password change revoke refresh token". However, it does now show this one, so hopefully that will help others.
I got the "re-login after password change" approach working pretty easily, so I'll stick with that for now for tighter security, but it's good to know I can turn that off if necessary.
If possible in the future, it would be great to be able to control that per-password change. It's the right behavior for changing a potentially compromised password, but not for setting an initial password. Of course, my app could also revoke the refresh tokens explicitly.
-
@trevorr said in Password change deletes sessions?:
If possible in the future, it would be great to be able to control that per-password change. It's the right behavior for changing a potentially compromised password, but not for setting an initial password. Of course, my app could also revoke the refresh tokens explicitly.
Makes sense. Please feel free to open an GitHub issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues