Comment 1 for bug 1662911

v3 has always required authorization to be explicitly granted using a separate call, rather than being implied via a user-attribute. The intent is that user attributes may be set by the user themselves as a preference.

That said, setting the user password attribute acts as an administrative password reset, and we have a separate API for self-service password changes, so it's not exactly consistent.