How can I verify a new users email after password reset

Hello there, first time poster here.

I’m in the process of reworking my user creation process and need some help figuring out the appropriate way to do this.

Current Implementation

We assign a static password for new users, and sending them a welcome email that brings them to the login page. Upon their first login, users are prompted to reset their password and enroll in MFA.

Desired Implementation

I want to move to a system where we create a user with a randomly generated password, then the user is sent a change password email disguised as a welcome email. The trick that I’m having trouble figuring out is how to verify their email without a second email, I’ve found the following items:

  • There is a PasswordChangeTicketRequest model used for creating password change tickets, and there is a MarkEmailAsVerified field that would mark the email as verified once the user changes their password (exactly what I need). However, this requires you to use your own email service to send the ticket to the user, and I would like to use the Auth0 built in Change-Password email template service to send the email.
  • Actions could be a choice for setting the users email_verified status in the Post Change Password flow. My only issue with this is in the case that I roll out a whole new tenant and may have many users reset their passwords at once, I would need to call for a new OAuth token in each of these actions, and may get rate limited, which could lead to the action taking longer to complete than Auth0 allows.
    • I’ve seen some posts about doing this with rules, but those are soon to be deprecated so I can’t utilize that.

I already have a method in my API currently for generating a password reset ticket (for existing users) in Auth0 with the ChangePasswordRequest model that has Auth0 send the Change-Password email template to the user, but this model does not contain a field for MarkEmailAsVerified.

Closing

Am I overthinking this? I feel like there should be a simple way to have a new user receive a password reset email that also verifies their email. Is there a way to access an Auth0 accessToken inside of an action without making a call to the Auth0 OAuth endpoint? Any information would help greatly, thank you in advance!

Hi @staylor,

Welcome to the Auth0 Community!

I recommend following our Send Email Invitations for Application Signup documentation, which details how to repurpose a Password Change email template as a welcome email to have users set a password for the first time.

Then, using a Post-Login Action script to deny the user access until they have successfully verified their email address.

For this approach, you will need to configure a Custom External SMTP Email Provider since the Auth0 built-in email provider is meant for testing purposes only.

As for verifying the user after the password reset, there should not require any action from you. Let me explain further, once a user goes through the email password change flow, the email_verified attribute will automatically be updated to true after a successful password change. This is because the process of an end user accessing the password reset link in an email proves ownership of that email address and thus their ‘email_verified’ attribute can be implicitly updated to ‘true’.

I hope this was clear!

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.