We are implementing a custom user sign up where only the admin users can create new accounts, assuming with valid emails. The user will have a random password and is required to change it right after the email is verified.
Create User -> Send email contains link to verify -> User click Verify link -> auth0 verify the email then redirect to new password page (possibly the same page as reset password) -> Enter new Password then confirm.
Is this flow applicable with current auth0 implementations?
Thank you for reply,
But what I need to achieve is different. I need to redirect the user to the reset password page right after he or she verifies the email (by clicking the verify link embedded within the received email), so he or she can reset the password without needing to login for the first times.
First a note: why not instead of sending the email verification link (as Administrator), send them the password reset link (as Administrator) via the authentication API instead right away.
Using that link, as a user, automatically implies that the user was able to receive the email, so the email address can be seen as implicitly verified once the user has changed his password via the password reset link he received in his inbox.
Besides from above: There are no out of the box event listeners / Hooks / Rules for when a user verifies his email address or when a user changes his password. Therefore, using standard hooks or rules in this case wouldn’t work.
I therefore only see these two options:
Custom developed signup/login hosted on your end, to which the initially email sent out by your Admin actually leads to, where you verify the user and then let him reset the password - and your site would just call the Auth0 APIs, such as Auth0 Management API v2 Change Users' Passwords
You could follow the suggestion as in this thread: Setting an email verification server callback using Webhooks in Auth0
using the mentioned API Webhooks where you would listen to the “Success Change Password” (and “Success Verification Email”, imo not needed) log events. Upon Success Change Password, you could as well then set the email_verified flag to true.