Learn about Password Reset Post Challenge Actions, which run after a user completes the first challenge during the password reset journey but before they set a new password.
The post-challenge trigger runs during the password reset process after a user completes the first challenge, typically a link to the user’s email, but before a new password is set. Use this trigger to challenge a user with an additional (MFA) factor or to redirect the user to an external site, such as a third-party verifier. After verification, users can provide the new password for their account. You can create up to four Actions in your tenant that leverage the post-challenge trigger.
Actions in this flow are blocking (synchronous): they execute as part of the trigger’s process and prevent the rest of the Auth0 pipeline from running until the Action completes.
In order for these Actions to run properly, you must have Universal Login enabled. These Actions cannot be triggered when using Classic Login.
A post-challenge Action can issue an MFA challenge after the user completes the first challenge. For example, you can issue a WebAuthn-based challenge as a secondary factor if your tenant has WebAuthn enabled as a factor:
/** * @param {Event} event - Details about the user resetting their password. * @param {PasswordResetPostChallengeAPI} api - Interface whose methods can be used to change the behavior of the password reset. */exports.onExecutePostChallenge = async (event, api) => { const enrolledFactors = event.user.enrolledFactors.map((x) => ({ type: x.type })); api.authentication.challengeWith({ type: 'webauthn-roaming' }, { additionalFactors: enrolledFactors });};
In addition to an MFA challenge, you can also try adding a redirect in the custom Action, for example, to a third-party verifier or risk assessor. This sample Action redirects the user to an example app, then continues the Action after the redirect to challenge the user with an MFA factor:
/** * @param {Event} event - Details about the user resetting their password. * @param {PasswordResetPostChallengeAPI} api - Interface whose methods can be used to change the behavior of the password reset. */exports.onExecutePostChallenge = async (event, api) => { // Send the user to https://my-app.example.com api.redirect.sendUserTo('https://my-app.example.com');};/** * @param {Event} event - Details about the user resetting their password. * @param {PasswordResetPostChallengeAPI} api - Interface whose methods can be used to change the behavior of the password reset. */exports.onContinuePostChallenge = async (event, api) => { const enrolledFactors = event.user.enrolledFactors.map((x) => ({ type: x.type })); // Challenge the user with email otp OR another enrolled factor api.authentication.challengeWith({ type: 'email' }, { additionalFactors: enrolledFactors }); // Example of how to challenge the user with multiple options // in this case email otp OR sms otp // api.authentication.challengeWithAny([{ type: 'email' }, { type: 'sms' }]);};
The Actions pipeline is not active while Auth0 redirects the user. Once the user continues the Auth0 login process, the Actions pipeline resumes. Actions that were executed prior to the redirect are not executed again. To learn more, read Redirect with Actions.