Custom User Signup then Create New Password Flow

We are implementing a custom user sign up where only the admin users can create new accounts, assuming with valid emails. The user will have a random password and is required to change it right after the email is verified.

Happy Path:
Create User → Send email contains link to verify → User click Verify link → auth0 verify the email then redirect to new password page (possibly the same page as reset password) → Enter new Password then confirm.

Is this flow applicable with current auth0 implementations?

1 Like

You can do this using Rules.

For your specific case, see:
Change Users' Passwords which you can adjust to your needs:

You can use a rule to check for a password expiration period.

  1. Go to Dashboard > Rules.
  2. Click + Create Rule .
  3. Click the template Check Last Password Reset .
  4. Modify the script according to your requirements, and click Save .
1 Like

Thank you for reply,
But what I need to achieve is different. I need to redirect the user to the reset password page right after he or she verifies the email (by clicking the
verify link embedded within the received email), so he or she can reset the password without needing to login for the first times.

I see. In that case:

First a note: why not instead of sending the email verification link (as Administrator), send them the password reset link (as Administrator) via the authentication API instead right away.
Using that link, as a user, automatically implies that the user was able to receive the email, so the email address can be seen as implicitly verified once the user has changed his password via the password reset link he received in his inbox.

Besides from above: There are no out of the box event listeners / Hooks / Rules for when a user verifies his email address or when a user changes his password. Therefore, using standard hooks or rules in this case wouldn’t work.

I therefore only see these two options:

  1. Custom developed signup/login hosted on your end, to which the initially email sent out by your Admin actually leads to, where you verify the user and then let him reset the password - and your site would just call the Auth0 APIs, such as
    Auth0 Management API v2
    Change Users' Passwords

  2. You could follow the suggestion as in this thread:
    Setting an email verification server callback using Webhooks in Auth0
    using the mentioned API Webhooks where you would listen to the “Success Change Password” (and “Success Verification Email”, imo not needed) log events. Upon Success Change Password, you could as well then set the email_verified flag to true.

See docs for API webhooks:

Similar or related threads:

2 Likes