Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

How can I enforce the user to provide their old password when wanting to set a new one? I’ve found this part <https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions> which is on the topic of changing password but not anything about enforcing the old password on change.

That does exactly what you want. If the session is not privileged anymore because it was authenticated too long ago, the user needs to provide their old password again.

You can reduce the time a session is considered privileged as needed.

Aaah ok, so I could basically set that to 1min or something and it would always be required if you want to change password. Thanks!

I think you can even set 0s and it will be strictly required every time, but from a UX perspective it really makes more sense to not ask about the password if you literally just provided it.