Auth0 custom authentication flow

Hello, guys! I’m quite new to Auth0 and I have several things that I want to implement

  1. I want to add username field to sign up window, so than user can have three text fields (username, email, password)
  2. I added third-party smtp server in order to sent OTP to user, but I want to use it instead of Auth0 magic email verification link. How can I do that? I created Email Provider and put inside smtp server credentials. What should I do next?
  3. I want to create some next window in authentication flow, where user can put otp which he will receive on email.
  4. I want to create such authentication flow, in which user can login with his email&password OR username&password. How I could implement such thing?
    Guys, would be grateful for sharing any information about questions above!

Hi @yaroslakladko

You can enable usernames in your database connection. When usernames are enabled, users log in EITHER with a username or an email, both work. When registering, users MUST provide both.

Your SMTP server should be set up, as you describe it.

I would suggest using our built in OTP MFA to achieve better security. Using an email OTP does not provide much additional security - it is not a true second factor but is a reuse of a first factor. True MFA is better.

John

@john.gateley, thanks for your answer! I’ll try now to configure, as you have written, and will reply with result!

@john.gateley I enabled usernames in my database connection and it works! Thank you! I enabled MFA with phone OTP and Twilio. This also works during login and sign up!

I want to build such SIGN UP flow, where user enters his username, email and password (have this done with your hint about usernames in db connection) → then confirms email OTP BUT only first time, when he is signing up → then he confirms phone OTP (I have it done with MFA) and after that he can be authenticated.

And LOGIN flow → credentials ((username OR email) & password) → MFA with phone OTP (this flow is working!)

So, the question is how can I send OTP to user’s email only one time, when he is signing up and validate it synchronously (user is not allowed to continue, until he will not validate his email)?

Hi @yaroslakladko

What you are describing is forcing the user to validate their email before allowing them to log in. This is doable via OTP, but is actually easier using our standard email validation link. There are many ways to do this, with varying degrees of elegance. You can start here: Force email verification

John

Hello, @john.gateley. Thanks for your answer! I saw several threads about email verification webhooks and I want to implement Management (I think rather than Authorization) Webhook, that will check whether user(s) has email_verified and will send corresponding data to my API. Can you please share an example or possible solution for that? Would be grateful!

Hi @yaroslakladko

I don’t have any samples like that, sorry.

John