Auth0 Home Blog Docs

Invite users via link or form and apply app_metadata from querystring params

Here’s the scenario I’m trying to create:

From my application, an owner can enter an email address to send an invite to someone.

This invite either includes a link with a couple of querystring parameters, or a form that submits data along with it, and this data needs to be entered into the new users app_metadata and set an Auth0 Role.

The issue is that we have an application with multiple companies that use it and the invite needs to go out to someone and have a context of which company sent the link so they are automatically added.

It’s not enough for a user to just sign up with Auth0 because there is no way to associate the user with a company and therefore the user would just login to the page and see nothing contextual.

We also need to apply a custom Auth0 Role at the same time.

What is the best method to achieve this?

Hey @jasoncascadia,

I know it’s been 5 days since you posted the question, so you probably solved this already. If you haven’t yet, I have a few questions about the scenario to understand better what would be the best way to approach it:

  • Who sends the invite? Is it an admin of the company that already has an account in your app?
  • What would happen if someone receives an invite and changes the value of the attribute that determines which company they’re supposed to join? Would they join a different company?

I’m thinking that it’d be best to implement the invite system outside of Auth0, where you store an “invite” record which includes a nonce (unique and obscure ID), the email address, the company the user is supposed to join, and role.

Your app sends out the email, which includes a link with the nonce, like https://example.com/invite/{nonce}. Your app handles the invite by checking the invites table for the invite, and creates the Auth0 user in the background, with the corresponding company and role access, and then removes the invite record so that the link doesn’t work twice (for security purposes in case the access is revoked in the future).

Hello. No, I haven’t solved this yet. I’ve been working with support as well but the solutions don’t seem quite right.

So the plan is to have a company owner (set via a Role) invite users by email address.

If they tried to change the company ID in the data they would have to guess the GUID, so it’s extremely unlikely to cause problems.

My hope was to only keep track of companies and their IDs in our database and push all the authentication information (emails, names, etc) over to Auth0.

But if I have to develop my own invitational I can work on that.

Really what we want is for people to be able to use the Social logins (i.e. facebook) but if they sign up that way, they don’t have a correlation between their login and the company ID. So someone would have to manually go in and add them. Unless something on our system does that because we have their email and associated company in our system. We’re looking at having two sources of record, though.