How to link an applicant to an Auth0 account

Help
1

Hi,

I am trying to find a solution to our situation. There are a few threads that are close and other says “rule has been depreciated” so I thought I would create a new thread to specifically find an answer.

We are performing a feasibility study looking to implement Auth0 as our identity provider and our implementation will observe clean architecture.

We have a .net core c#, entity framework, backend with react frontend. We have 1000s of members.

Our applicant and member database will remain on our backend to observe clean architecture.

We want to use a third party identity provider to take advantage of multi tier authentication and the latest security protections.

How we envisage our system to work is an applicant will complete our registration form, once the registration process is complete we plan to use the machine to machine api to create an auth0 account and request the applicant to identify themselves.

How will auth0 know who is identifying themselves for which account? Can we temporarily link an Auth0 account to a sessionID until they have identified themselves?

What are the options available to us?

How do experts familiar with Auth0 achieve this process?

Thank you.
ps, whilst creating a new thread a list of ‘similar’ topics is listed but I could not click on them to view.

2

Hello @thesmelltaw,

Welcome to the Community. There are probably a number of options open to you. Fore example, after creating the Auth0 user account, you can send the user a password set/reset email… “Welcome to OurCompany.com! Please click here to set your password.”

Similar to your situation I think, we (where I work) know who our users are before they sign-up for online services, because they have purchased a financial product from us beforehand. So we create an account for them, with a randomly generated throwaway password, and send them a welcome email with a set password link (the set password link is actually just a link to the reset password page).

In our case we also ask them for an additional identifier (part of their social insurance number) which adds a layer of assurance. You could do something similar with a PIN sent to a cell phone or a backup email address. That’s assuming you need this level of assurance at all … if you don’t trust the email address the user provided to begin with then you may have more fundamental problems to deal with!

Mark