Automatic login after creating Auth0 user

mathiasconradt · September 18, 2020, 10:24am

The approach you mentioned will not work because the Management API V2 does not allow setting a password for users with the “email” (passwordless) connection

Therefore use a Passwordless Connection & Account Linking (with a regular database connection account). For the database connection account, you can set a password. You link it with a passwordless account based on email address.

tom14 · September 18, 2020, 10:36am

@mathiasconradt awesome, that’s an interesting suggestion, thanks for that.

So we’ll create a separate database connection for our “implicit signup”.

However, we’ll have to run a webhook of sorts on our backend every time a user successfully authenticates using the Passwordless OTP flow. Is that possible? Our backend will then use the Management V2 API to link the previous (unverified) users from the database connection.

mathiasconradt · September 18, 2020, 11:13am

You can either do the account linking right from the start (when you create the user in the first place, create two accounts for him and link them already), or inside a Rule. Within a Rule, the context tells you when it’s the first login of a user or whether he’s coming from a passwordless connection. So it doesn’t necessarily need to be done from your backend, can be handled inside a Rule as well.
(In this whole scenario, of course there are a few security considerations to deal with.)

tom14 · September 18, 2020, 4:54pm

Makes sense. We’ll try creating both at once and come back to you.

We understand the security implications, please bear in mind that this auth flow will only be possible if the email has never been used before. You cannot use it to “backdoor” into other user’s account.

mayhul · September 26, 2020, 2:15am

@mathiasconradt I’m not sure if the conversation you had with tom addresses this, but here is our desired user onboarding flow:

On our site, the admin invites specific emails to be onboarded. Our system sends custom invitation links to those emails.
Users click on the link in their email & come to our onboarding page
The user fills out their information (name/password/etc) and clicks submit
Our system validates that the user came from a valid onboarding link
An Auth0 account is created for the user
We generate an access_token on our server for the newly created user
We send the access_token to the client & they can begin using the site as the user that was just created

So far, we are able to accomplish everything except step 7. We’re using the Auth0 React library and as far as I can tell, there’s no easy to provide the acess_token generated in step 6 to the Auth0 React library. So the Auth0 library will say that the user is not authenticated & the user will be directed to our universal login page.

Is there a way to “seed” the Auth0 React library with an access_token, so the user is not forced to immediately login?

janson · April 7, 2021, 9:11am

Have you found any resolution to auto-login ever since? We’ve been looking high, low, far and wide but never really gotten anywhere

Hope to hear from you or any of the community members/experts.

erhise · October 15, 2021, 6:35pm

I also wonder if you have ever found a solution to your problem - I want to do the same but have not figured it out

peabody · February 3, 2022, 8:09pm

Not sure if this helps anyone but we had some success with an existing method we found when looking directly at the source code. This also worked with our custom user_metadata.

auth0.redirect.singupAndLogin(signupData)

It can be found in the auth0.js library
https://auth0.github.io/auth0.js/web-auth_redirect.js.html

konrad.sopala · February 7, 2022, 11:58am

Thanks for sharing it with the rest of community!

system · February 22, 2022, 11:59am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.