Account Management
The Account Management portal provides a unified self-service interface where users can manage their security settings, including passkeys for login and multi-factor authentication, and change their password.
Overview
ProAuth provides a dedicated pipeline at /account/security that authenticates users via a full OpenID Connect flow (Authorization Code + PKCE) before granting access to the management interface. This ensures a proper authenticated session regardless of how the user navigates to the portal.
The portal automatically adapts to the user's identity provider type:
- User Store users see login passkey management, MFA passkey management, and password change
- Federated IDP users (e.g., Google, Entra ID) see only MFA passkey management (if configured)
Accessing the Portal
Users can access the Account Management portal via:
https://<proauth-domain>/account/security?tenantid=<tenant-id>&idpinstanceid=<idp-instance-id>Both tenantid and idpinstanceid query parameters are required. They identify the tenant and identity provider context for the user's session.
After a successful account management sign-in, ProAuth stores the tenant and identity provider context in a protected, HTTPS-only browser cookie scoped to /account/security. This cookie is used only as a routing hint for future re-authentication when a user returns to a bookmarked account management section such as /account/security/passkeys. It does not authorize access by itself; after sign-in, ProAuth still validates the authenticated user's tenant claim and federated identity before rendering account data.
If a request has neither the required query parameters nor a valid remembered context cookie, ProAuth shows a friendly recovery page instead of starting an ambiguous sign-in flow. Users should open account management from the application where they signed in, or sign in to the application again and use its account management link.
Access Methods
Login page link: The UserStore login page can include an "Account Management" link that opens the portal in a new browser tab.
ID token claim: ProAuth includes a
pa_account_management_urlclaim in ID tokens and the UserInfo endpoint response. Client applications can use this claim to provide a direct link to the portal.
{
"pa_account_management_url": "https://login.example.com/account/security?tenantid=...&idpinstanceid=..."
}Login Page Link Visibility
The UserStore IDP instance option AccountManagementLinkVisibility controls whether the login page shows the Account Management link:
| Value | Behavior |
|---|---|
auto | Shows the link when passkeys are enabled. This is the default and preserves the previous passkey-driven behavior. |
enabled | Always shows the link. |
disabled | Hides the link. |
Authentication Flow
When a user accesses the portal, ProAuth initiates an OIDC authentication flow against itself:
INFO
The Account Management pipeline uses a dedicated system client application ("ProAuth Account Management") that is auto-provisioned during startup. This client uses PKCE and does not require a client secret.
Login Passkey Management
Available only for User Store users. Manages passkeys used for passwordless first-factor authentication with userVerification: "required".
Features
- View registered passkeys — See all passkeys with name, creation date, last used date, and sync status
- Register new passkeys — Add passkeys using security keys, platform authenticators (Windows Hello, Touch ID, Face ID), or synced passkeys
- Rename passkeys — Update the display name of any registered passkey
- Delete passkeys — Remove passkey registrations
WARNING
Deleting a passkey is irreversible. The credential will no longer be accepted for authentication. If PasskeyEnforcePasswordless is enabled on the IDP instance, ensure users retain at least one passkey.
Storage
Login passkeys are stored in the User Store database associated with the user's account. They are managed through the IPasskeyService in the User Store module.
MFA Passkey Management
Available for all users (User Store and federated) who are associated with a Passkey two-factor instance. Manages passkeys used as a second authentication factor with userVerification: "discouraged".
Association Requirements
MFA passkey management is only available when the user is associated with at least one active Passkey two-factor instance through any of these relationships:
- Direct user assignment
- Client application assignment
- Tenant assignment
- IDP instance assignment
Features
The same CRUD operations as login passkeys: view, register, rename, and delete.
First Passkey Setup
The first MFA passkey can be registered during the MFA challenge flow. Subsequent passkeys should be managed through the Account Management portal.
Storage
MFA passkeys are stored in the ProAuth database (not the User Store database), in the ProAuthUserMfaFactor entity. This allows MFA passkeys to work with both User Store and federated identity providers.
Change Password
Available only for User Store users. Users must provide their current password to set a new one. The new password is validated against the password complexity policy configured for the IDP instance.
Upcoming Features
The following sections are planned for future releases:
- Profile — View and edit personal information (email, phone, display name)
- MFA Settings — Manage additional multi-factor authentication methods (TOTP, phone verification)
- Active Sessions — View and manage active login sessions, with individual or global logout
View Customization
The Account Management portal uses customizable Liquid templates. All text labels use the ProAuth label system under the /accountmgmt content-path root, with account-management keys such as accountmgmt-* and account-change-password-*. Administrators can customize text and provide translations through the Management API.
The portal uses a dedicated _AccountLayout.liquid master template with a sidebar navigation, separate from the standard login _Layout.liquid.
Administration API
Administrators can manage user passkeys through the UserStore Administration API:
GET /api/userstore/v2/{userstoreId}/administration/passkeycredential/user/{userId}
DELETE /api/userstore/v2/{userstoreId}/administration/passkeycredential/user/{userId}/{passkeyId}INFO
Administrators can list and remove passkeys but cannot register new ones. Passkey registration requires the WebAuthn ceremony to execute on the user's device and browser.