New Universal Login - Allow Sign Up to be disabled but still allow invitation acceptance

amngs · October 5, 2023, 2:52pm

Feature:

Use-case:

We are using the Organisation feature, and users must have an organisation to login, which requires the new universal login experience (so we cannot use the classic, or customised login options).

We have our own separate Sign Up form which in the backend uses the Auth0 Management API to create a new organisation and sends an organisation invitation to the user.

We therefore want to disable Sign Ups via Auth0’s form (as this will not add the organisation information that we require before a user can login). However, when we Disabled Sign Ups on the database connection we noticed that this prevents the invitation acceptance link from working.

Instead of being able to input a new password to accept the invitation, the user is told to login to their account, but they are a new user so cannot do so.

We are using the default Auth0 database connection for our user database.

Thank you

dan.woda · October 5, 2023, 3:16pm

Thanks for the feedback request!

j.krabs · October 6, 2023, 7:28am

Maybe there could be a more general solution for differentation between “normal” signup and invitation. If we could have the information about an invitation as variable in the events object of the pre-user-registration-event, we could use an action to do different things on “normal” signup vs. invitation. (e.g. deny signup in one of both cases)

Negativ point of this: the signup-link would still be present in the new universal login. So not the best user-experience for the described scenario of @amngs

dan.woda · October 6, 2023, 1:54pm

Thanks for the extra context @j.krabs

timonprata · November 2, 2023, 2:25am

Hello ! It is my first time as a developper using Auth0, and i must say, the developer experience feels terrible, and i will not recommend it to my future clients without this feature.

I am in a similar situation, i started using Organizations as a main feature, alongside New Universal Login, and the disabling of sign-ups, which came up later as a necessity, broke my entire authentication tunnel.

The ugliest hack i could find is remove the “Sign up” text from the button in “Custom text”, replacing it with a whitespace, but it still appears because of a padding on this link.

Without this padding, days of trouble would have been fixed and this is not even a no-code UI customisation option.

I tried every succession of unicode characters in the different “Custom Texts” fields to make the ghost link overflow away, without success (nice UI job here, unfortunately for me)

And it prevents me from implementing Social logins, because of the way they work both as a sign-in and a sign-up, but this is not the subject nor an immediate issue for me.

I am now exploring the possibility to throw an error conditionally via a Pre-Registration hook, i am currently searching for the way to differenciate between a regular invitation and an organization invitation, but like J.krabs mentioned it does not seem to be an option…

Which leads me to this question
Do you have an ETA on this crucial feature ? I have read a lot of auth0 forums post asking for Invite-only flows in New Universal Login.

PS: Not the subject here either, but when register is enabled, and an organization invitation is sent, the Registration form is shown by default, even if said user previously had an account and was already authenticated.
I’ve had several testers confused about it, best way to fix this on my end is to authorize “Join on sign-up”, then using handleAuth from next-auth0, remove the invitationId from the URL params if the user already exist in Auth0, which leads to an organization-signin form, send a GET request to management API to check invitation status validity + email matching, for security, then send another GET request to check if the user already exist in Auth0, if not, i let the “invitationId” url param which then shows the initial “Sign-up” form to the user. Needless to say, very unintuitive nor documented way and it consumes a lot of Management API requests.

Thanks you very much for your time,
Cordially,
Timon

dan.woda · November 3, 2023, 3:22pm

Hey @timonprata,

Welcome to the Auth0 Community!

Thank you for taking the time to share such detailed feedback. I’m sorry to hear about the frustrating experience and thank you for your patience working through it.

caggy · April 2, 2024, 11:31am

So, the next question is, will this be fixed at all? I also have the same issue and have not been able to find a way around it. Signups are not something that everyone wants enabled, i.e. if you are running a B2B platform. Any ideas on if this is being worked on Dan?