How to check whether a Passwordless sign-in is a first-time sign in or not?

oded.magger · January 17, 2021, 9:37am

I implemented a Passwordless connection with SMS, using Embedded Login on React Native.

On a User/Password DB connection, sign up and log in are two distinct API calls. On Passwordless, however, when a user signs in, an Auth0 user is created implicitly if no user previously existed for that phone number.

Is it possible to know whether a Passwordless sign in is a ‘Sign Up’ or a ‘Log in with exisitng user’?

The only solution I could think of was calling the User Management API to see if a user with this phone number exists, but I really want to avoid the additional API call, as well as the privacy and security risks derived from letting pre-authenticated end user pull data about existing users.

stephanie.chamblee · January 19, 2021, 8:57pm

Hi @oded.magger,

I am setting up a passwordless connection with SMS now to look into this.

Does your app need to know if the user is newly created after they log in or do you need to access this info elsewhere?

What SDK are you using?

oded.magger · January 19, 2021, 9:10pm

Thank you for checking, @stephanie.chamblee !

I am using GitHub - auth0/react-native-auth0: React Native toolkit for Auth0 API .

Yes, the app needs to know if the user is newly created directly after login is successful.

stephanie.chamblee · January 20, 2021, 1:16pm

Ah okay! One way to accomplish this would be to add the user’s login count as a custom claim in the ID Token via a Rule. The Rule has access to the user’s login count from the Context Object.

To set this up, you can click on Rules from within your dashboard and click “+ CREATE RULE”. Select “Empty Rule”.

function (user, context, callback) {
  const namespace = 'https://YOUR_APP_DOMAIN/';
  const userType = context.stats && context.stats.loginsCount === 1 ? 'new' : 'existing';
  context.idToken[`${namespace}userType`] = userType;
  return callback(null, user, context);
}

When you decode the ID Token the value of namespace/userType will be either “new” or “existing” based on their login count. You could alternatively include the login count as the custom claim if preferred by adjusting the code within the Rule.

function (user, context, callback) {
  const namespace = 'https://YOUR_APP_DOMAIN/';
  const loginCount = context.stats && context.stats.loginsCount ? context.stats.loginsCount : 0;
  context.idToken[`${namespace}loginCount`] = loginCount;
  return callback(null, user, context);
}

Here are docs about adding custom claims to ID Tokens: Sample Use Cases: Scopes and Claims

oded.magger · January 21, 2021, 4:35pm

Thanks, @stephanie.chamblee ! Tested it and it works like a charm.

system · February 5, 2021, 4:35pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.