Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, looking at the docs for updating identities, specifically updating with the `password` method, the only trait required is the new password. I would have expected the current password to be required so a check is done before updating.  Am I missing something? If not, what’s the recommended way to achieve checking the current password before updating to the new one in an SPA ?

My initial thought was the ugly solution of fetching the current password_hash, and in the SPA do something like `bcrypt( curr_pass) === password_hash`   before updating the new password via the settings flow. Not a fan of this but couldn’t find an endpoint to fetch the hash anyways. Any help will be appreciated :slightly_smiling_face: