Custom invitation flow

Hello,
I want to create the following invitation flow in my application:

  • Admin invite user by email
  • The user gets an email with a link to set up his account (the link can be used only once)
  • When the user clicks on the link, he will be redirected to a form hosted in OUR website.
  • The user will fill the following data in the form:
    • First name
    • last name
    • new password
  • In the next page (still on our website), the user will be required to supply phone number for MFA purposes. He will get an SMS OTP and will be required to provide it back.
  • After completing all steps above, the user is redirected to login / automatically logged in to our application.

I followed some of the guides in the docs:

But I still having a trouble to understand how to achieve my flow…
I figured that I will probably have to use the Auth0 authentication/management API directly… but I don׳t know how exactly…

Hi @tal.sh

You can do this, but there are a couple of issues: the password and SMS registration is better hosted by Auth0 instead of your website.

If you want to do it, you’ll need the management API to create the account, and the MFA API to register the SMS. The user will have to log in (they will not be logged in automatically) at the end of the process.

A different approach:

  • Send the link via email
  • The link connects to your webpage
  • Your webpage gathers first/last name and creates the account
  • Your webpage gets a password reset ticket (from the mgmt API)
  • Your webpage redirects to the password reset ticket
  • User enters password
  • After success, user is redirected to a login page
  • User logs in with new password
  • MFA enrollment happens.

John

1 Like

Hi @john.gateley

Thank you so much for you answer!

I have some questions regarding your suggested flow:

  • Send the link via email
    • You mean, link to our site? so our backend should generate and sent it (without auth0 involvement )? if so I will need to take care of invalidating the link after fist use…
  • The link connects to your webpage
  • Your webpage gathers first/last name and creates the account —
    • The “webpage” is actually a web-app, which is an “application” in auth0. isn’t it a bad practice that an application is using the mngmnt API (I touth that application should only use auth API and services like our backend should use the mngmnt API)
    • If the link only link to our site, how should I “connect” the invited user with the user that is using this page? how should I prevent anyone from just hitting that page and creating himself a user? (we are talking about invitation and not sign-up…)
  • Your webpage gets a password reset ticket (from the mgmt API)
  • Your webpage redirects to the password reset ticket
  • User enters password
  • After success, user is redirected to a login page
  • User logs in with new password
  • MFA enrollment happens.

In addition, Now my flow is implemented by following of this guild:

  • When user invited our BE use the mngmnt API to create the user and trigger a change Password Email
  • The user change his password from the link in the mail. after changing the user is redirected to our login page
  • after login MFA enrollment happens automatically.

It works, BUT the only step “missing” is the collection of some user details (like first/last name) before/after changing his password.

If I׳m willing to use ONLY auth0 hosted pages, is there any way to achieve my goal? by customizing the change password page?(so that it will be asking the user for his details…) or with flows/actions/hooks?

Thanks again for you help

Hi @tal.sh

Perhaps the best approach is “progressive profiling”. Do the flow you mentioned to invite new users and change their passwords, using Auth0, and then have a redirect action to gather their first and last names. You would host the page gathering the name info.

(you can also do this with rules).

If you go with the approach I first suggested, which is more complex, then you will have to keep track of link usage, and you will have to ensure you call the management API from your webapp’s secure back end, not the front end.

John

1 Like

Hi @john.gateley,
Thanks for your answer.
I think thats the way to go in my case.

1 Like

We are here for you @tal.sh !