We are using the new universal login experience, and we would love to be able to include the email verification using OTP or link in your sign-up process. We don’t want to allow non-verified users to log in, but we also don’t want to handle this ourselves.
With how things work today users get an email after they sign up with a link to verify their email address. Users can still log in though, even without a verified email address. I know we could use a rule in auth0 to restrict access for non-verified users, and implement some UI in our app informing the users that they have to verify their email address to continue, but we want this entire process to be handled in the universal login experience.
We want to be able to configure our auth0 tenant to enforce email verification during the sign-up/login process, so we know that when a user is logged in the email has been verified. We want auth0 to take care of all of this, and we want to be able to choose between verifying the email with a link or with a one time code.
Yes, this feature would be great to have soon as possible. It could be like instagram that the user must confirm the email adress by passing a code. After that the user is created and can sign in. The user experience benefits if its solved as a option within the universal login.
This would be awesome, we still need to use the Classic login experience because the user experience is not the same (by far), because there is no easy way the sign up a user with the new flow.
We are currently unable to use the new universal login, because this very basic sign up flow (which is by the way supported by all the big techs) is not yet implemented into Auth0.
Our flow is this: The registered user invites another user to use the platform. He receives an email and clicks on it. It currently says enter the email and then proceeds with passwordless authentication, which is seamless for the end-user.
Now imagine this: The registered user invites another user to use the platform. He receives an email and clicks on it. The page says login or sign up (auth screen). The user clicks on the sign up button, enters email, then a new password. Now, because we disabled login without verified emails, he receives an error that he must verify his email. Ok. He opens his emails, finds the verification mail, and clicks on it. The account is verified, but he must open the original email invitation from the registered user because there was some queryString in the URL, which at this time is lost. He has to log in again.
I think this feature still needs some time to be ready, but my question is can we somehow, with actions/rules still use the new universal login without scaring away users? I read in other articles that it might be possible with pre-registration actions, but I haven’t seen any examples. If this is possible to do anyhow, can you share some examples with us?
Thank you everyone for your feedback and context! We review those feedback cards on a monthly basis and will let you know once we have any updates to share!
This is definitely one of those things where the further down the rabbit hole I go with Auth0, I find things and think “WTH? I decided to pay so I don’t have to do this myself, no I’m having to do this myself”. Really wish I’d never started on the Auth0 journey. This is BASIC STUFF.
I’m still trying to get my head around what is and isn’t built in to Auth0 when it comes to email verification on sign up. The documentation[1] on doesn’t make it clear to me.
My current understanding is that the following are provided:
Auth0 takes care of sending an email on sign-up, assuming an outbound email service is correctly configured in the tenant config.
Auth0 stores a flag against the user to signal whether they have verified their email address.
Auth0 takes care of updating the aforementioned flag if the user clicks through on any of their emails, whether it’s the original verification email or for example a password reset email.
Auth0 provides a sign-in trigger action that fails the sign-in flow (this forum blocks links but google "Require Email Verification" Auth0 marketplace ) if the user does not have a verified email as per the aforementioned flag. It does not however prompt the user to verify their email, or offer to re-send a verification email, or hook into any flow other than sign-in. It just causes the sign-in flow to fail. So it cannot be used e.g. to prevent the creation of users with bogus emails.
The following cannot be provided as part of the Auth0 sign-in or sign-up flow, and must therefore be managed at the application level:
Prevent sign-up (user creation) unless the supplied email is verified.
Present a meaningful message to the user and block application access they have logged in with valid credentials but have not yet verified their email address.
Allow the user to request that a verification email is re-sent.
I really hope I can be proven wrong here, because it seems to me that a lot of (unexpected) effort is put on the application developer.
Oh wow… I think I’ve finally figured out that it is in fact possible to do this entirely within Auth0. However, it’s non-trivial: you have to make heavy use of the low-code login flow customisations.
You will need:
A custom Form that defines the screen to show the user when their address is unverified, and a button to allow resending the verification.
A custom Flow to call the Auth0 API to resend the verification email when the user requests it. This piece also requires that you are set up to do M2M calls to your auth0 management API.
A custom action in the Post-Login trigger graph to show the form at the end of the login sequence as long as the email address is unverified.
Why this is not baked into Auth0’s built-in components is a mystery to me. Again, I wonder if I’ve missed a way to do this more easily.
const form_id = '<YOUR FORM ID>';
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {
api.prompt.render(form_id);
}
}
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onContinuePostLogin = async (event, api) => {
// Re-present the form to the user on completion of the form as long as email is still unverified.
if (!event.user.email_verified) {
api.prompt.render(form_id);
}
}
