Help on implementing User Invitation Auth Flow

Hi everyone

I’m trying to implement User Invitation Auth using this tutorial: Send Email Invitations for Application Signup

However, I’m confused right now. Let me explain what we are doing right now:

  • A user is created using the api: Create User API
  • Then, we send an email with the Change Password template, but as a Welcome Template, using the flag email_verified to check which email should we send.
  • The user receives the email and set the password for the first time.

This is working well. However, in the first step, we have to set a password so we are using our default password. So, what we really want?
We want to implement the same flow described above, but without setting up the default password!

For what I investigated, this tutorial is the best approach. But it also requires a user already created in the connection. But for that, we need a password: so now I’m really confused

Am I missing something?

Thanks in advance

As far as I can tell you cannot create a database connection user without a password. Therefore you basically need a random password generator that obeys the password security standards.

Choosing one default password would be really bad from a security perspective.

To be honest, for me this was a showstopper in that already complex invitation flow that utilizes password reset. So we switched to organization invites, which is a much simpler ticketing apporach Invite Organization Members

But it comes with it’s own pitfalls I can tell. I really like auth0 but the way how they offer invitation options is really obsolete.

1 Like

Thanks for answering @hendrik

One limitation that I see with Invite Organization Members is that we can’t set as Application Login URI a local environment that don’t uses https. Any workaround regarding that?

And also, for invite Organization Members, is not that clear what we have to do after the user accepts the invitation from email. Can you elaborate more about this, please?

Well regarding the https redirects I can’t tell, since we also use https routes in the local dev env.

Regarding the flow, it requires you of course to have at least one organization setup. For now we use one default organization for all invitations.

Our app however runs without a certain organization scope at the moment.

It is a hybrid way, which allows for self-signup (not possible in organization scoped app) and invitations (only possible in organization scoped apps).

That’s what I meant with the pitfalls.