We are currently looking at Auth0 for a new application we are building; This application will be invite-only, the invites being generated by users of an existing application we have built.
I have read the article here on invite-only applications - however there were a few customization we would be looking to make…
Essentially between our two applications we would have two types of users - Inviters and Invitees.
There would be two scenarios for invitation for our apps:
Scenario 1 - Invitee does not already exist
- An Inviter invites an Invitee and an email is sent to the invitee.
- The invitee accepts the invitation and is given access to our application.
- This process of invitation gives the invitee access to items created by the Inviter (e.g. they have claims added to the user that identify who they were invited by or something similar).
Scenario 2 - Invitee already exists
- A new Inviter invites an Invitee that already has an account with our application.
- This invitee has their user extended with new claims that also grants them access to items created by this new Inviter.
So my questions would be;
Would anyone be able to point me in the right direction for information about how to achieve step 3 of Scenario 1/Step 2 of Scenario 2 - i.e. at what point would I be able to extend the invitation flow to add something like custom claims or meta data?
As per the link I provided above, it sounds like with invitation-only flows a user is created and then moved into a modified reset-password-like scenario. Am I understanding this correctly? i.e. Is the user created as soon as they are invited (as opposed to only after they have accepted the invitation and set their password)?
For Scenario 2 - I am guessing we would have to write most of this logic ourselves as it is a fairly specific scenario. This would probably also flow into scenario 1 a bit because we would always need to check if the user was preexisting. Would there be anything in Auth0 that I might be missing that would help with this?