How to securely validate users before allowing them to register

We are trying to restrict user signups to users we already know about (based upon other data we receive), but have been struggling to find a mechanism to do this securely that meets all our needs. We’ve worked with an Auth0 partner (our engagement has now ended, which is why I’m posting here) and they couldn’t find a good solution.

A couple of things we’re trying to achieve:

  • Allow users to find themselves in the system by searching by certain criteria (including but not limited to email), and then securely register a user in Auth0 that ties back to that record in our system.
  • Send secured links in emails where we have predetermined the record in our system that they should be linked to allowing users to set a password/MFA and login to the system.

These are actually pretty similar, because if we can create a secured link to Auth0 sign-up then it can be used for both cases.

Pretty much all the options we looked into worked for Username/Password users, but wouldn’t work for Social Logins which we need to support.

  • We could create the user using the management API and send a password reset email that’s customized to look like an invitation, but that locks them into having username/password.
  • We could use a single Organization for all users (yuck) and use invites, but that also ties them to a username/password database.
  • We considered pre-registration Actions to validate a link that contains a token that can be exchanged for the information needed to link to the record in our system, but Social Login signups bypass pre-registration/post-registration, so the validation gets skipped and we lose the information we need.

The best we could come up with was allowing all users to register and then based upon user/application attributes on first login, trigger either Action Forms or redirect to a custom site from the Post Login action to collect any additional information we need or block them if we can’t find them in the system. That’s not great for users as they may go through registration only to find they can’t use the site (perhaps they used a different email address to the one we have in our system).

Any suggestions before we go down the post-login route?

Thanks,

Andrew