Feature flag to required old password as confirmation when setting a new password #3981
Open
5 tasks done
Labels
feat
New feature or request.
Preflight checklist
Ory Network Project
No response
Describe your problem
A common best practice is to required the user to provide the old password as part of defining a new password. Currently, Kratos does not provide a setting to enforce this as Kratos uses the concept of privileged sessions (https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions).
By setting a short
privileged_session_max_age
value, you can essentially enforce the requirement of reentering the old password to change it.To make this behavior more explicit, it would be nice to introduce a feature flag that, if set to
true
, requires providing the old password when setting a new password.Describe your ideal solution
Add a feature flag that, if set to
true,
requires the old password to be specified when setting a new password. If the old password is not provided or is incorrect, setting the new password fails. The behavior is not dependent on the value ofprivileged_session_max_age
and theauthenticated_at
value of the current session.Workarounds or alternatives
A current workaround achieving a similar behavior is defining a low value for
privileged_session_max_age
.Version
Ory Network
Additional Context
No response
The text was updated successfully, but these errors were encountered: