Custom invite flow where user sets password (my backend creates user). How do I login the user after this?

Help
,
1

Hi.

Here’s the flow -

  1. Admin user invites user by email. My backend sends that user an email with a custom link.
  2. When that user navigates to the custom link, they’re presented with an option to set their name and password.
  3. Upon clicking Submit, an API call to my backend creates the user in Auth0 using management api, and does some additional operations, and returns the newly created user.

Here’s the issue -

At this point in the UI (react app using auth0-react library), I want to “log in” the user. I can generate a token for the user as well and send that over. However, it doesn’t seem like the auth0-react library has some way for me to set credentials. It seems the library only offers managed login.

So, given that I’ve successfully created the user in Auth0 and supplied the token in the response after a successful invite flow, how can I “log in” the user at this point?

I do NOT want to call auth0.loginWithRedirect because then the user has to re-enter their password again which they just created.

Please let me know if need more clarification. Thanks

3

:wave: @kdm :sunglasses:

During our dev_day event this year, we introduced a Lab detailing a mechanism for folks to implement invitation-based workflow using the out-of-the-box Auth0 Organizations feature. Primarily a feature supporting B2B SaaS, the Organizations capability in Auth0 can also be used to implement invites in a B2C context, and leverages much of the Auth0 platform functionality that comes as standard. It offers some alternative workflow that. right be more suitable to your use case, and for more detail, you can take a look at Implement an Invite Workflow With Auth0 Organizations

Hope this helps, and please feel free to provide feedback as we’re always looking to improve the functionality the platform offers :hugs:

1 Like
4

Thanks.

I did check out that (looks cool, will have to try it in the future) but I have this existing invite flow on our backend and this is the only blocker for me at the moment - just wondering if there is a quick solution here :pray:

I am using GitHub - auth0/auth0-react: Auth0 SDK for React Single Page Applications (SPA) and wondering if there’s some way to update the underlying Auth0 context with the auth token to login the user.

As I mentioned in my OP the user is created via management API and I can generate a token for the user on my backend.

Is there some way to set this token into the Auth0 context so that I can avoid having the user login after setting their password?

Please let me know. Thank you

5

Thanks for the response @kdm :sunglasses:

…just wondering if there is a quick solution here :pray:

Not really. There are also a number of reasons why I wouldn’t recommend the workflow you’re currently using either; let me see if I can break it down a little to provide a little more context :slightly_smiling_face:

  1. Admin user invites user by email. My backend sends that user an email with a custom link.
  2. When that user navigates to the custom link, they’re presented with an option to set their name and password.
  3. Upon clicking Submit, an API call to my backend creates the user in Auth0 using management api, and does some additional operations, and returns the newly created user.

Aside from the fact that in 1, above, you’re having to manage your own invite workflow - providing the likes of rate limiting, threat protection, invite expiry, etc., to mitigate/reduce the attack surface - it sounds like, in 2 and 3, you’re handling user credentials outside of the IdP (Auth0). Handling user credentials outside of the IdP goes against recommended security best practices, and for a number of different reasons. Classically, we typically recommend using the Password Reset workflow as described in the Send Email Invitations for Application Signup guidance we provide, however, that guidance still requires the user to interactively login (as described here).

As I mentioned in my OP the user is created via management API and I can generate a token for the user on my backend.

I’m curious as to how you’re doing this. If you’re doing this via a Resource Owner Password Flow, say, then arguably it’d be in a confidential client context; leastways, in this case, a confidential client that can safely handle user credentials. But as a React SPA, your application is not a confidential client, and best practice from a security perspective typically recommends avoiding using a token intended for a confidential client in a non-confidential client context.

Is there some way to set this token into the Auth0 context so that I can avoid having the user login after setting their password?

As far as I’m aware, there’s no way to achieve this. At least no way we support out-of-the-box or in a recommended security best practice fashion. Unfortunately, to provide something like this as a feature would open up the potential for token injection - which is an attack surface that one would definitely want to avoid (for obvious reasons).

I would urge you to take a look at the Implement an Invite Workflow With Auth0 Organizations as it will likely provide you with not only a ready-made solution, but will also mitigate against potential (security) issues down the line :sunglasses: