Help required with approach to onboarding a new user into Auth0 with minimal manual intervention

Sargent_D · August 10, 2020, 3:38pm

I am currently working on an application that, among other things, side loads a number of users into our backend database. Each of these users needs to be added to our Auth0 tenant database as well. So, I used the management API’s create user function to create these users in Auth0.

Now, the following additional requirements are needed to be fulfilled:

A user must not have a password initially and will have to set their own password, preferably after receiving an email instructing them to do so. In other words, the user must not be allowed to login until they have set their own password.
Every user must be enrolled for multifactor authentication by default using their phone number in our local database, without asking the user to manually do so.
Password must be set to expire in 90 days, once a user’s password expires, the user will no longer be able to login without resetting their password.
Custom password policy related to password length, special characters, etc.

I need to know whether all of these requirements can be handled using Auth0 and to what extent.

rashid779939 · August 11, 2020, 12:46pm

Hi @Sargent_D,

The points number 1,2 and 4 can be easily achieve at Auth0 without any extra effort but for the point number 4 you need to implement some out of the box logic but i believe that can be achieve.

Sargent_D · August 13, 2020, 4:31am

Hi,

Could you please elaborate on how these can be achieved?

For 1, I was unable to find any such configuration since we have to assign a password to a new user and there is no explicit setting in Auth0 to expire a user’s password that I could find.

For 2, when I was reading the Guardian API library, there was no option to enroll a user automatically without requiring any action from the user. A phone number enrollment for SMS would still send an enrollment SMS to the user’s phone.

For 3, I was thinking of using a rule to check the user’s last password change date and then throw an exception, but I don’t know how this can prompt a password reset.

For 4, I do not know how to set the password criteria so that my custom criteria appears in Auth0’s new password universal login screen.