This article clarifies how Auth0 handles session expiration when users change their login credentials (email or password), particularly when Social Identity Provider accounts are linked to Auth0 database accounts. The key factor determining session persistence is the identity initially used for authentication.

• Database Connections
• Social Identity Providers

The behavior of an Auth0 session upon credential changes is determined by the identity used for the initial login.

• When a user logs in with their primary Social Identity Provider account: If the user changes the email or password of their linked secondary database account, the active session remains unaffected. This occurs because the Social Identity Provider implicitly maintains or renews the Auth0 session, preventing immediate expiration.

• When a user logs in with their secondary database account: If the user changes the password for this specific database account, the session will be revoked, necessitating a new login.

• Any updates to the Social Identity Provider's profile (for example, email address changes) must be performed at the Social Identity Provider (for example, Google, Facebook). Auth0 will only synchronize these changes upon a new login, after the existing session has expired.

Auth0 session's validity is directly tied to the credentials of the active login identity. If authentication occurs via a Social Identity Provider, the session is managed externally by that provider, rendering changes to a linked database account's credentials irrelevant to the current Auth0 session. And if a user authenticates directly with a database account, any password changes for that account will invalidate the session and require re-authentication.