Hello,
I am trying to disable emails trigerred from auth0 and instead trigger them from our Backend using the apis that auth0 provided (from the ticketing apis [verifyemail, resetpassword], to unblocking users…etc). I could not find the option to disable the emails triggered by auth0 in the configuration.
Can you help please?
Why? Well, managing email templates in auth0 isn’t working as we grow. We need each template to support multiple languages and sometimes special changes for specific criteria. It’s really tough/limited to manage using auth0’s html-templating tool (auth0/branding/email-templates).
Any help is very much appreciated.
Thanks
Thank you for reaching out to the Auth0 Community @chafic.elhariri !
I’ve checked the behaviour and what we can potentially do about it.
Based on my investigation, I can see Auth0’s email templates are triggered to be sent when users go through the Universal Login Experience pages flows. For example, clicking the “Forgot password” button sends to Auth0 the following request:
https://subdomain.auth0.com/u/reset-password/request/Username-Password-Authentication?state=xxxxx with the user’s email address in the payload and as a result email templated by Auth0 is sent.
At the same time, it seems there is no feature to enable/switch on our side in the dashboard in order to disable Auth0 templates entirely and introduce your backend logic to create email templates.
In case of reset password flow, you can disable the link that seats under the “Forgot password?” button to prevent the default flow to happen. Here you can find how to do it.
In this topic, there is a suggestion on adding your own link so that you can manage the flow outside of Auth0’s login flow.
Also, the Management API endpoint - PATCH user by ID, allows to change the user password directly.
Going back to Auth0’s email templates, I have learn that you can set the email language based on the user’s preferred language (info stored in user_metadata) - you can read about it in this doc searching phrases Multilingual subject line, Multilingual email templates
I hope this gives you some overview. Please let us know your thoughts of follow up questions.
Hello @marcelina.barycka, thanks for the reply much appreciated.
We are using a Auth0 native SDK for iOS and Android with a fully custom UI, so we are calling the signUp/login functions provided by the sdk. Upon SignUp directly auth0 sends the verification email (templated, which is customized from auth0 also using some meta-data (lang + other info)+ app-id).
The other usecase is for the web where we use the passwordless-email-login fuctionality provided by auth0 - This also has a template on it’s own.
For the reset-password, as you said, we can simply start calling our backend (which calls the ticketing api on auth0’s end to generate the link needed to include in our template - this works perfectly).
But what can we do for these:
- Password Breached template (triggered automatically by auth0)
- User blocked template (triggered automatically by auth0)
- Passwordless template
What do you think?
Thank you for following up @chafic.elhariri!
Let’s investigate your listed use cases one by one starting with the passwordless login’s email.
I think we could take a closer look at the specific methods currently used by your implementation (which cause undesired behaviour) and see if there are other methods / Auth0 APIs to call directly.
When I think about passwordless login, the API endpoint called to get a code or link doesn’t return the code/link directly in the response but triggers steps behind the scene resulting in a code/link sent to the user email (using Auth0’s templates).
What we would like to do here, I believe, is to take more control over these behind-the-scenes steps.
I will consult our product engineers to discuss it and be back soon.
If you have any additional info or questions in the meantime, please let me know!
1 Like
What’s the app type where you use the passwordless login (regular web app / SPA/…) @chafic.elhariri ? And what is returned to a user - magic link or code? What Auth0’s library do you use for it?
@marcelina.barycka thank you for following up.
The app that uses Passwordless-login is “Regular Web App”, We get a magic link by email.
And in this case Auth0’s library is used in the backend to request the magic-link email.
Good afternoon / good morning @chafic.elhariri !
Thank you for sharing details.
I can see why that feature would be important to you but at this point of time, the behaviour of Auth0’s passwordless login flow would solely be as we initially described - the magic link will be delivered only by Auth0’s templated email. These links cannot be requested directly in a way you could take more control over the flow.
Another way of submitting a product feature request is through a Feedback community post - other developers could upvote it then. Your feedback is crucial for future enhancements.
Please let me know if you have any more questions on this topic!
PS: I can see that my colleague @james.merrigan has simultaneously worked on your query, so I will share here his finding for the broader audience:
Hi Chafic,
Thank you for your patience here. I hope your day is going well!
1. The Auth0 Verify Email will be triggered by default when using the Authentication API for creating users. In this case, the mobile SDK leverages this API and the email cannot be prevented.To prevent the Verify Email from being sent, your users need to be created using the Management API only with the parameter “verify_email: false” (Create a User).
2. Unfortunately, while you can disable the Password Breached email from the Notifications section of your Breached Password Detection settings in the Dashboard, you are unable to generate a method for sending this notification yourself. This email is sent from Auth0’s security address “no-reply@auth0user.net”.
3. Glad to hear this workaround is working for you!
Similar to the Password Breached email, this email can be disabled from the Brute Force Protection settings of your tenant, but there is no built-in method for you to hook into and generate this notification yourself (with a link for the user to unblock themselves).
4. It is not currently possible to generate a Passwordless link (similar to the password reset ticket) for you to send via your external system. You can find more information on this in the following community FAQ: https://community.auth0.com/t/generating-passwordless-login-magic-link/12305
I definitely understand that some of these features are restrictive for your use-case, and you will need to evaluate the trade-off between disabling some of these features or updating the Auth0-provided templates.
