My question is similar to Add user from Enterprise Identity Provider, but not exactly the same.
We would like to only use social and enterprise connectors, and not support username/password at all. To onboard a new user we need to give that user a set of user-specific permissions, different for different users.
What we have to do today is we ask a user to login through the SSO experience once. After that we see that user in Auth0, and can grant necessary permissions. After that, we ask the user to log out and log back in, so that their access token has the granted permissions. Obviously, this isn’t a great user experience.
What we would like to do instead is to be able to add such a user by their email, grant them their permissions, and only then invite them to log in through the SSO/connector.
As I understand, this is not possible to do today. I found the workaround of adding a user to the database with a password, grant them permissions, then invite them to log in and in the process link their database account with their connector one. This is slightly better but still far from the desired experience:
- The user needs to enter the password for their database account in order to link it to the connector account. We either have to send it to them (bad security) or ask the user to go through the reset password process before they can link their accounts (better security but cumbersome and confusing user experience).
- The database account with the password, either set by us or reset by the user, stays in the database forever, even if they only use SSO for login. If that password is leaked or otherwise compromised, somebody can impersonate the user.
I don’t see that workarounds with automatic granting of roles/permissions (similar to Add new user to role) would help us. We need to explicitly give a new user their permissions, and they are different for different users.
Am I missing a way how we can achieve what we need? If not, is this something on your radar to add?
It seems to me that using user’s email address as a reliable identifier no matter through what connector they log in and automatically ‘merging’ their multiple identities would be a great option to provide.
Thanks.