New user via API - set password flow

We would like to create users from a system, which will eventually make an API call to Auth0 Management API. I’m wondering if there’s a flow possible, where the created user will receive an email that would contain a link with automatic login and force them to set/ reset their password immediately.
We’d rather not generate and send a plain text password to the user by email. What would be the recommended flow here? Thanks in advance.

Hi @adeliab,

To clarify, will you be creating users via the Management API, or will the users be calling your tenant’s Management API?

Here is a guide for implementing an invitation-only flow:

HI @stephanie.chamblee how do I specify query params to use the invite flow of Universal login like it mentions?

Hi @stephanie.chamblee , sorry I’m new with Auth0 so I’m not sure what is the difference between Management API and tenant’s Management API.

The idea is to have an external application calls our custom User API, which will send a request to Auth0 to create the user - with this call Auth0 Management API v2

We don’t want users to sign up by themselves because we need to set the app_metadata when the user is created. From the documentation you sent, it seems possible to create a user first and then send a change password link. Let me have more read and let you know if I have any question.

Thanks!

1 Like

Hi @stephanie.chamblee the mark_email_as_verified parameter in the change password ticket, if it’s set to true - does that mean the email is verified during the ticket generation? or after the user sets the password?

And how can we trigger the sending of invitation email after the user is created?

Thanks for clarifying!

The user’s email will be verified only after they reset their password when mark_email_as_verified is true.

When you call the /api/v2/tickets/password-change endpoint, you will receive a URL that can be used in a template in your own external email provider. You can use the Post-User Registration Hook to trigger the email.

Here is an example of sending an email in a Rule with the Mandrill email provider: Send email with Mandrill. You could do something similar in a Post-User Registration Hook to send the email.

You can also follow this answer to use the Auth0 change password email template: Sending password change email instead of verification email for a new user - #3 by stephanie.chamblee
With this solution, you would likely need to configure the template in a way that regular password change requests would look different than the initial password reset.

1 Like

Thanks for your reply @stephanie.chamblee !

In your example, I suppose the call to create password change ticket also happens in the hook?

As an alternative, I think our custom API can also perform this task and use our external provider to send the email. The flow would be:

  1. Our custom API creates user in Auth0 via Management API
  2. Our custom API creates password change ticket
  3. Our custom API sends the generated URL to SendGrid where the URL will be put in the template and sent to the user

In this flow we’re not using Auth0 email template or sending the email from Auth0. I suppose this would work too?

I feel the email template will be cleaner because don’t need to add IF statements to the auth0 change password template to support localization & change template VS invite format.

1 Like

Yes, that will work nicely! Since your API is able to handle all aspects of user creation, I believe that makes a lot of sense. I agree it would be a cleaner template.

1 Like

Hi @stephanie.chamblee , we’re still looking into the best place to send the email from. Is it possible to use Auth0 Actions to call the get a password ticket and trigger a sendgrid email?

hmm… it seems that the creation of Action is not supported by the terraform library yet: https://registry.terraform.io/providers/alexkappa/auth0/latest/docs/resources/hook
I suppose it can work with a Hook too?

Hi @adeliab,

Yes, you can use an Action or a post-user registration hook or a rule to generate the change-password email and send the email. Here is an example in rules: Customize Email Handling

Regarding Terraform’s support of Actions, I’ve asked the team about this and I will let you know what I hear back.

@adeliab, one thing to note that I’ve realized after doing some testing, it is uncommon but possible that the user will not exist yet in the user registration hook. If going that route, you would need to handle a 404 error when you generate the password-change ticket and re-try the request. This should not be common, but because of the async nature of this hook, it is possible.

Hi Stephanie, thanks for the heads up! Our plan now is to have auth0 hook sends a message to a service bus queue. And another service will subscribe to this message and perform the get change password ticket + email send. Do you still see the risk that the user won’t be available by the time?

1 Like

That sounds like a safe plan. The user should be available by the time the request is made by the second service. You could add a retry if a 404 is returned, but I don’t believe that would occur.

1 Like

Thanks @stephanie.chamblee ! Is it confirmed that Action is not supported by Terraform yet?

Hi @adeliab,

It isn’t supported yet, but I did find an enhancement issue which you can track the progress on: Support Auth0 Actions · Issue #302 · alexkappa/terraform-provider-auth0 · GitHub

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.