WSO2 Changelog

Updating a password shouldn't always interrupt a user's flow. Previously, updating a password in Asgardeo—specifically through the My Account portal—mandatorily terminated the user’s session and revoked the active token, forcing an immediate re-login. This lack of flexibility meant that every password change resulted in a disrupted user experience, regardless of the organization's specific security needs. 

To provide a more seamless experience and greater control, Asgardeo now supports Session and Token Preservation upon password update. This allows users to stay logged in and keep their active access token valid even after a successful password change. 

What’s New? 

• Organization-Level Control: Administrators can now manage session persistence and token revocation directly within the Asgardeo Console for password updates. By toggling the "Skip terminating current session and token on password update" setting under Session Management, you can decide whether to keep the session and active token valid based on your organization's needs.
• Dedicated Password Update API: We’ve introduced a new REST API (POST /me/change-password) specifically for self-service password updates. This API is built to respect your organization’s session preservation settings.
• Optimized My Account Portal: The My Account portal has been updated to use this new dedicated API. This ensures that when session preservation is enabled, your users can update their credentials seamlessly without their active token being revoked or their session being cut short. 

Note : While this feature applies to the My Account portal, the new Self Password Update API, and SCIM 2.0 (via OAuth2), password updates performed via the SCIM 2.0 Me endpoint using Basic Authentication will still result in the termination of the session and revocation of the active token. 

Documentation: 

• https://wso2.com/asgardeo/docs/apis/self-password-update-rest-api/ https://wso2.com/asgardeo/docs/guides/account-configurations/login-secu…