Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SignIn with an account and reset the password of another acount #89

Open
Dali2579 opened this issue May 14, 2019 · 9 comments
Open

SignIn with an account and reset the password of another acount #89

Dali2579 opened this issue May 14, 2019 · 9 comments
Assignees
@jennyf19
Labels
investigate

Comments

@Dali2579
Copy link

I don't know if this is a valid scenario.
I used this sample active-directory-b2c-xamarin-native.
I created my tenant in AZURE B2C.
I have already two user account on it account1 and account2
I signed in with the account1 to the application.
The application displayed account1's name correctly.
I clicked on reset password.
I entered account2's email.
I got the verification code and I updated account2's password.
when comeback to homescreen, I'm getting account2's name.
What happen to account1's session? is it logged out?
I'm not sure if this is a correct behavior.
@jennyf19
Copy link
Contributor

@Dali2579 What idp are you using? B2C local accounts, FB, Twitter, etc..? are the users connected at all? Example, is it the same user w/two accounts?

Are you using the sample as-is? If so, I will try out what you explained above. Thanks.

@Dali2579
Copy link
Author

I'm using IDP local and using the example as it is.

@jennyf19
Copy link
Contributor

jennyf19 commented May 17, 2019
edited
Loading

@Dali2579 thanks...i'll take a look

@jennyf19
Copy link
Contributor

@Dali2579 Which IdP are you using?

@Dali2579
Copy link
Author

@jennyf19 I'm only using B2C local account.

@TiagoBrenck
Copy link

TiagoBrenck commented Jun 17, 2019
edited
Loading

@Dali2579 @jennyf19 I believe this is not an issue. The reset password flow is: type an email, then access that email (it proves that you have control of that email), then we will reset the PW for you. If you type my email, you wont be able to reset my pw, because you don't have control over my email. This reset password flow is actually found in many places and apps out there, and if you type someone else email, they will indeed get an email with a link or code, but since they didn't ask for a pw reset, they would probably ignore it.

IMHO, I don't think this is an issue.
For reference: https://auth0.com/learn/password-reset/

@Dali2579
Copy link
Author

@TiagoBrenck Yes I agree with your analysis. my question was not about the reset password workflow. My question was in case of connecting as account1 and from this session reseting the password of account2, after the end of the reset password we need to keep connected to account1 .
below steps with screenshots
I signed in with the account1 to the application.
image
The application displayed account1's name correctly.
image
I clicked on reset password.
I entered account2's email.
image
I got the verification code and I updated account2's password.
image
update account2 password
image
when comeback to homescreen, I'm getting account2's name.
image

as you can see account2's name is dispallyed. what happen to account1 session? is it logged out?

Thanks,
Dali

@TiagoBrenck
Copy link

Oh, now I see what you mean and indeed is an odd behavior that needs to be investigated.
Sorry about the misunderstanding.

@jennyf19
Copy link
Contributor

@TiagoBrenck did you investigate this?

@jennyf19 jennyf19 self-assigned this Jan 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jennyf19 jennyf19

Labels
investigate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmprieur @TiagoBrenck @jennyf19 @Dali2579