Manually creating users for social login

Hi,
We’re looking into how to programmatically create new users and receive an Auth0 ID and have that user receive a link to finalize the process by using social login (e.g. Google). We want to avoid sending a “reset password” email and we’d ideally want to enforce the possible sign-in methods at user creation.

The flow should be:

  • Admin creates a user with an email “user@gmail.com
    • We can programmatically assign the user to specific internal resources given the Auth0 ID
  • User receives a “Welcome” email with a link
  • User navigates to the link, only the allowed logins are available
  • User clicks on Google for example, must sign-in with “user@gmail.com
  • After the process, the user is redirected to our platform
  • The user can’t add other authentication methods, can’t set/reset a password.

I’ve been looking around the documentation, but any pointers would be very helpful.

Thanks

Hi @lewis1,

welcome to the community. You as an admin can’t create a user for a social connection / upstream IdP. Therefore you need to go with a database connection and account linking.

  • Create the user in a database connection, via Dashboard or Management API. Disable signups.
  • Enable Rule "Link Accounts with Same Email Address while Merging Metadata" (note that by default the rule requires the user account in the database connection to be email_verified. Since you allow login via social connection only anyway, you can remove that check in the rule)
  • For your Client Applicationm, in it’s connection settings, only enable the Google Social Connection, not the database connection.
  • To avoid other Gmail users, which you didn’t create, to login/signup via your Client Application, put a rule in place that checks that for the current user, one with the same email address exists in the database connection, otherwise reject the login.

Hi @mathiasconradt

I am trying your suggestions above. However I don’t see the option to disable signups via dashboard; and also I don’t see the option to enable rule “Link Accounts with Same Email Address while Merging Metadata”. Where are they located?

Thanks

However I don’t see the option to disable signups via dashboard

That’s in the settings of the database connection used.

“Link Accounts with Same Email Address while Merging Metadata”

This rule was a standard rule available in the rules catalog (Dashboard > Auth Pipeline > Rules > Create Rule) at the time of the original posting, but it has been removed as it’s not recommended due to security concerns. (It’s recommended to link accounts only with user interaction and not automatically without any additional sort of verification of the account ownership).
You can still find a copy of the original rule online but a said, there are security concerns with it.

Hey all looks like the “Link Accounts with Same Email Address while Merging Metadata” Rule has been deprecated for security concerns. Has an alternative solution been devised for this use case?

2 Likes