Manually creating users for social login

lewis1 · March 17, 2020, 4:10pm

Hi,
We’re looking into how to programmatically create new users and receive an Auth0 ID and have that user receive a link to finalize the process by using social login (e.g. Google). We want to avoid sending a “reset password” email and we’d ideally want to enforce the possible sign-in methods at user creation.

The flow should be:

Admin creates a user with an email “user@gmail.com”
- We can programmatically assign the user to specific internal resources given the Auth0 ID
User receives a “Welcome” email with a link
User navigates to the link, only the allowed logins are available
User clicks on Google for example, must sign-in with “user@gmail.com”
After the process, the user is redirected to our platform
The user can’t add other authentication methods, can’t set/reset a password.

I’ve been looking around the documentation, but any pointers would be very helpful.

Thanks

mathiasconradt · March 17, 2020, 6:17pm

Hi @lewis1,

welcome to the community. You as an admin can’t create a user for a social connection / upstream IdP. Therefore you need to go with a database connection and account linking.

Create the user in a database connection, via Dashboard or Management API. Disable signups.
Enable Rule "Link Accounts with Same Email Address while Merging Metadata" (note that by default the rule requires the user account in the database connection to be email_verified. Since you allow login via social connection only anyway, you can remove that check in the rule)
For your Client Applicationm, in it’s connection settings, only enable the Google Social Connection, not the database connection.
To avoid other Gmail users, which you didn’t create, to login/signup via your Client Application, put a rule in place that checks that for the current user, one with the same email address exists in the database connection, otherwise reject the login.

dori_wm · April 7, 2021, 2:49pm

Hi @mathiasconradt

I am trying your suggestions above. However I don’t see the option to disable signups via dashboard; and also I don’t see the option to enable rule “Link Accounts with Same Email Address while Merging Metadata”. Where are they located?

Thanks

mathiasconradt · April 7, 2021, 10:36pm

However I don’t see the option to disable signups via dashboard

That’s in the settings of the database connection used.

“Link Accounts with Same Email Address while Merging Metadata”

This rule was a standard rule available in the rules catalog (Dashboard > Auth Pipeline > Rules > Create Rule) at the time of the original posting, but it has been removed as it’s not recommended due to security concerns. (It’s recommended to link accounts only with user interaction and not automatically without any additional sort of verification of the account ownership).
You can still find a copy of the original rule online but a said, there are security concerns with it.

aliotta343 · May 26, 2021, 7:02pm

Hey all looks like the “Link Accounts with Same Email Address while Merging Metadata” Rule has been deprecated for security concerns. Has an alternative solution been devised for this use case?

Topic		Replies	Views
Disable Social Signup..except for Linking existing account Help	3	6831	November 20, 2020
Migrate user from social login to username-password Help user-management , account-linking	4	65	August 14, 2024
The connection does not support user creation through the API for social signin Help management-api , users	2	810	December 7, 2023
Can not create a new user Help user-management , user-invitation	4	1986	March 16, 2023
Invite-only signup without password & include social connections Help	0	2051	February 3, 2022

Manually creating users for social login

Related Topics