Managing Email Collection and Verification in Auth0 for SSO Across Multiple Projects

I am using Auth0 for single sign-on (SSO), with three projects sharing the same tenant. In all these projects, having an email is mandatory. Users logging in via Auth0 in my projects should always have an email. However, I noticed that Facebook allows account binding via phone number, which means that users logging in through Facebook OAuth in Auth0 may not have an email. I want to enforce a process within the Auth0 login flow that requires users to provide an email if it is missing, rather than handling missing emails separately in each project. How can I achieve this?

Additionally, I want users to verify their email during the Auth0 registration and login process, so that when they are redirected to the project, there is no need to handle verification again. Currently, Auth0 sends a verification email during registration but does not block the redirection; users are redirected to the project URL immediately. If a user does not click the verification email, I still need to verify their email status in each project. I hope to integrate the email verification flow directly into Auth0, such that after registration, users are redirected to a “waiting for verification” page, or during login, if their email is unverified, they are sent to the same page, with the ability to resend the verification email.

These two requirements are related: when a user does not have an email, they should be prompted to provide one; once submitted, a verification email should be sent immediately, and the user should be redirected to the verification-waiting page with the option to resend the email.

So far, I have tried using Actions, Forms, and Flows to manage this, but unfortunately, I have not been successful. Ideally, I would like to handle everything within the Auth0 platform. I would like to know whether Actions, Forms, and Flows can accomplish all the points I mentioned. If it is possible, I would appreciate some references or examples. If not, are there alternative solutions? The only alternative I am aware of is redirecting users from Actions to a custom page to collect emails and handle verification (including resending), but this requires maintaining a separate project. I would prefer a solution that works entirely within Auth0.

I hope to get some guidance.
Thank you.

1 Like

Hi @isboyjc

Welcome to the Auth0 Community!

I am sorry about the delayed response to your questions.

You should be able to accomplish that respective flow using Auth0 Actions and Forms.
Within an Action, you will need to check if the respective user is logging in using the Facebook social connection and if their email address is populated as such:

exports.onExecutePostLogin = async (event, api) => {

  if(event.connection.name == "facebook" && event.user.email == " ") {

  api.prompt.render('{{form_ID}}');

  }
  
}

In your Form, you can create the following form structure:

The flow below does the following:

  • Retrieve email address from user
  • Send an Email Verification Ticket to the email address
  • Step informing the user to check their account
  • Flow which adds the email address to the user profile

Once the Form flow is completed, in the onContinuePostLogin you can check if your users have their email verified like this:

exports.onContinuePostLogin = async (event, api) => {

if(!event.user.email_verified)
{
  api.access.deny("Your email address is not verified. Please verify it and try to log in again");
}

}

If you have any other questions, let me know!

Kind Regards,
Nik

1 Like

Thank you very much for your reply. I now have a general understanding of the overall process.

However, since this is my first time using Auth0, I’m still not very familiar with it and have some questions. In the form flow you mentioned, after the user enters an email address and clicks continue, a verification email is sent. I see that you are calling the /v2/tickets/email-verification endpoint, which requires a provider parameter. But in this case, the user hasn’t bound an email yet. How can a verification email be sent to the email address provided by the user?

After the user receives the email and clicks the verification link, how can the verified email then be added to the user’s profile?

Or are there some similar templates to refer to?

I look forward to your clarification. Thank you.

Glad I could help!

However, I just noticed a fault in the flow I have proposed above.

Basically, after the user inputs their email address, you would need to switch the order of the flows above as such:

In this Form, the process will be as follows:

  • The user will enter their email in the first step

  • Using an Update User flow, you will update their email address of the user provided in the context as such:

  • The Flow will retrieve the user ID from the context of the form by using {{context.user.user_id}} and update the email value of the user with the value that they entered in the email field (which is accessed by using {{fields.email}} // take note that email is the ID/Name you set on the specific field).

  • Use a Custom API Request Flow with the /v2/jobs/post-verification-email endpoint. Since the user will have had their email set previously, you will need to send the proper body request containing their user_id and connection used.

  • Once that is done, you will notify the user to check their email and also provide them the option to go back( in case they have set the wrong email address, to mitigate this, you can set the email to be visible inside the text as such: "Please check {{fields.email}} to verify your account.")

That is how the flow basically works, you set all the required information during the flow and using the new endpoint you will not need to configure an email provider in order to send an email using the generated email verification ticket.

Please keep in mind that the email address is added prior to it being verified. The user will need to verify it before ending the Form’s flow otherwise they will be denied access. In addition to denying access, you could also redirect them to the logout endpoint where they will be asked to re-authenticate.

If you have any other questions or need further clarification, let me know!

Kind Regards,
Nik

Hi, Nik
Thanks for your reply.

Unfortunately, I still haven’t succeeded.
I have some questions about using HTTP in a Flow to call the Management API to send verification emails. I checked the documentation and saw that calling the Management API requires generating Access Tokens, but I don’t quite understand how to generate them. Do I need to create a new Machine-to-Machine Application to obtain the Access Tokens? Then use these Access Tokens to call the Management API to send the email — are all these steps supposed to be done within the Flow? Are there any examples I can refer to?

Also, I noticed that in Flow there is an option called “Verify email address.” What is this for? It seems similar to what I need.

Additionally, I have already paid for Auth0, and the project is about to go live. I would like to inquire whether Auth0 offers technical support for paying users beyond the community resources.

Looking forward to your reply. Thank you.
Isboyjc

Hi again!

Regarding the management API access token, you can just retrieve it from the Dashboard under Applications → APIs → Auth0 Management API → API Explorer and add it as a header to the custom api request as Authorization for the name and Bearer {{token}} as the value. Unfortunately, there are no examples provided regarding implementing such a flow using Auth0 Forms. As an alternative, if you are using a custom email provider such as SendGrid, you also have the option to send an email using the Send SendGrid Email flow.

Otherwise, regarding the Verify Email Address flow, it does not send a verification email or set an email address as verified within the Auth0 context, it is used to perform a number of selected verification rules against a provided email address.

Finally, if your tenant is under a plan, you also have the option to open a support ticket in order to receive further and live assistance from our dedicated support engineers team.

Hope I was able to answer all of your questions and if I can help you with anything else, let me know!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.