Hello there, first time poster here.
I’m in the process of reworking my user creation process and need some help figuring out the appropriate way to do this.
We assign a static password for new users, and sending them a welcome email that brings them to the login page. Upon their first login, users are prompted to reset their password and enroll in MFA.
I want to move to a system where we create a user with a randomly generated password, then the user is sent a change password email disguised as a welcome email. The trick that I’m having trouble figuring out is how to verify their email without a second email, I’ve found the following items:
- There is a
PasswordChangeTicketRequestmodel used for creating password change tickets, and there is a
MarkEmailAsVerifiedfield that would mark the email as verified once the user changes their password (exactly what I need). However, this requires you to use your own email service to send the ticket to the user, and I would like to use the Auth0 built in Change-Password email template service to send the email.
- Actions could be a choice for setting the users email_verified status in the
Post Change Passwordflow. My only issue with this is in the case that I roll out a whole new tenant and may have many users reset their passwords at once, I would need to call for a new OAuth token in each of these actions, and may get rate limited, which could lead to the action taking longer to complete than Auth0 allows.
- I’ve seen some posts about doing this with rules, but those are soon to be deprecated so I can’t utilize that.
I already have a method in my API currently for generating a password reset ticket (for existing users) in Auth0 with the
ChangePasswordRequest model that has Auth0 send the Change-Password email template to the user, but this model does not contain a field for
Am I overthinking this? I feel like there should be a simple way to have a new user receive a password reset email that also verifies their email. Is there a way to access an Auth0 accessToken inside of an action without making a call to the Auth0 OAuth endpoint? Any information would help greatly, thank you in advance!