I’m learning JavaScript and think Auth0 will be very helpful.
In a nutshell I want to provide a way for users to register and enforce restrictions if their email address has not been validated. I’m not interested in Social Logins etc. because I need people to register using their work email addresses.
I’ve tried several sample apps but I’m getting stuck on (what I would have thought to one of the more trivial tasks) how do I check if the users email has been validated / verified?
This rule will only allow access users that have verified their emails. Note that it might be a better UX to make this verification from your application.
But there is no explanation that I can find of how to make the verification from the application, and I have no idea how to start searching for an answer (well I do, but I couldn’t find anything that helped me). It would be great if someone could provide a few baby steps.
[Edit - I had a look at the email verification ticket but that seems to be more to do with requesting the user verify their email as opposed to checking the status of "email_verified": true ]
Thank you - I was confused as I was working through these tutorials (I hadn’t noticed the list to the left), even so I’m still stuck
The second tutorial “user profile” does not seem to include the information suggested by your reply, clicking on the [Profile] button in the example provides JSON as shown below:
Clicking on the [Profile] button does not provide any mention of email_verified, however, when I look at the User Profile in the Dashboard I can see the Raw JSON…
So I guess my question is - how do I retrieve the Raw JSON?
Must I use the Management API?
Cheers, S
PS I’ve only completed Tutorials 1 & 2 so far (previously at time of OP Tutorial 1).
This is stretching my skills a bit I think, but I believe if you want to retrieve the entire user profile, then you do need to use the management API and a management API key.
You can add specific parts of the user profile to the user’s idToken using rules and custom claims.
I haven’t had a look at those tutorials in a while, but if I get a chance I might go through them again to see if updates are warranted.
This document describes the Auth0 Management API, which is meant to be used by back-end servers or trusted parties performing administrative tasks. Generally speaking, anything that can be done through the Auth0 dashboard (and more) can also be done through this API.
That’s correct, client-side is definitely not secure and should not be trusted. For the latest on securing client-side stuff, have a look at this post. One of the other pros around here may be able to offer some insight into building your app securely. That said, if you do need access to just some of the user’s profile attributes, custom claims should do what you want.
I’ve been reading Auth0 documentation for a few days now and finally have a solution based of a SPA Tutorial for User Profile using Javascript. I ended up using a rule for enforcing email-validation and have modified the code in app.js (handleAuthentication) to provide a more pleasant user experience. It’s a bit ugly, but it works (for the moment).