FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Password change deletes sessions?

    Scheduled Pinned Locked Moved Solved
    Q&A
    2
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trevorr
      last edited by

      I can't find it documented anywhere, but changing a user's password seems to delete all of their sessions. This makes sense, but is there a way to change the password while keeping the user logged in?

      Details: I initially create users with a random and immediately forgotten password (since password is a required field), and have them log in the first time with a passwordless login code I email them. Once they're logged in, I allow them to set their initial password via my application server, which uses PATCH /api/user/{userId} with an API key. This seems to invalidate the user's refresh token, which I'd like to avoid. Perhaps there's a way to change the user's password with their own access token that doesn't delete that session? Alternatively, I could have the server perform a login using the new password and return new tokens, but it would be nice to avoid that complexity.

      danD 1 Reply Last reply Reply Quote 0
      • danD
        dan @trevorr
        last edited by

        @trevorr Hiya!

        It is a setting on the tenant, the Refresh token revocation field.

        It's documented here: https://fusionauth.io/docs/v1/tech/core-concepts/tenants#refresh-token-settings (look for a couple of checkboxes, and uncheck 'on password change'. There's a corresponding setting in the Tenant APIs: https://fusionauth.io/docs/v1/tech/apis/tenants : tenant.jwtConfiguration.refreshTokenRevocationPolicy.onPasswordChanged.

        Thanks for using FusionAuth. Hope FitFinder is going well!

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        T 1 Reply Last reply Reply Quote 0
        • T trevorr has marked this topic as solved on
        • T
          trevorr @dan
          last edited by

          @dan Thanks!

          For some reason, Google doesn't show either of those pages for "fusionauth password change revoke refresh token". However, it does now show this one, so hopefully that will help others.

          I got the "re-login after password change" approach working pretty easily, so I'll stick with that for now for tighter security, but it's good to know I can turn that off if necessary.

          If possible in the future, it would be great to be able to control that per-password change. It's the right behavior for changing a potentially compromised password, but not for setting an initial password. Of course, my app could also revoke the refresh tokens explicitly.

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @trevorr
            last edited by

            @trevorr said in Password change deletes sessions?:

            If possible in the future, it would be great to be able to control that per-password change. It's the right behavior for changing a potentially compromised password, but not for setting an initial password. Of course, my app could also revoke the refresh tokens explicitly.

            Makes sense. Please feel free to open an GitHub issue outlining your use case: https://github.com/fusionauth/fusionauth-issues/issues

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post