I want to use custom Signup page which is hosted by us and use Auth0 for login. I am using Management API’s to create user post signup happens in the application and to login I am using SPA Implicit flow /authorize with Custom API to get the access token. Signup widget does not show on Universe UI of Auth0 when it is disabled but when user logins with Social platform it signups user in auth0.
Am I correct to assume that you don’t want users to login with Social Login (for which signup and login is actually the same, no difference), unless they already have an existing username+password account in Auth0? If this is the case, you cannot avoid the signup, but can block the authentication via Rule (nevertheless a user profile get created in Auth0, he just can’t login).
Just curious: why do you do the signup with custom UI and API on your end, and not also via the Auth0 hosted widget? Any special requirements that force you to do it this way?
You are correct with your assumption . We need more fields than Username password and other use case where users are created by user and they signup later. Any elegant solution to handle this use case ?
If a profile is created in Auth0 and rule can be created to avoid login with that profile (In this case it is social signup user.) Will that profile be blocked to signup with username password as well ?
We need more fields than Username password
This can be done by adding additional signup fields, also within the Auth0 hosted login page.
See Lock Configuration Options
Will that profile be blocked to signup with username password as well ?
No, not necessarily. This all depends on the Rule, which is basically any Node.js logic. So you can check in such a rule whether a user is coming from a social or a database connection, or whether he already has a proper username/password account or not and only block the login if he only has a social login.
I was using Auth0 Actions to disable social logins.
Case -1
When I created user using Management API and logged in using social login new user is created.
Case - 2
When I logged in social login it fails saying access denied. But it creates a user and when I create user from management API for same email it does allow me to create
I modified script mention above and did try with condition.
if (context.connectionStrategy !== "auth0" && user.identities[0].isSocial)
That was of no help. Any suggestions ?
Case 1: this sounds like correct behaviour.
Case 2: this also looks like correct behaviour - at least technically, though probably not what you want. While a failed social login creates a new user, this user is created under the social connection, not the database connection.
When you create an new via Mgmt API though, this user is created in the database connection. So yes, it allows you to create a new user, which is correct (as there is no other user existing with the same email address in this connection yet).
See this example: my user exists twice but under different connections. This is the same case like yours.
If you don’t want to allow this case, you need to create a pre-user registration hook (see Pre-User Registration) that checks if a user with the same email address already exists across all connections i.e. as social connection.
Furthermore, you probably want to have the merging rule enabled, to merge users with the same email address: