Prevent users from accepting an organization invite when the current session is incompatible

Feature:

Prevent users from accepting an organization invite when the current session is incompatible

Description:

When accepting an organization invite created via create invitations to organization, users who are already authenticated with a different profile will run into the following error

{
"error": "access_denied",
"errorDescription": "the specified account is not allowed to accept the current invitation"
}

because their email + connection does not match that expected by the invitation. Though this error makes sense, it should be much harder for a user (especially those less tech savvy) to make a mistake during this flow. Ideally, if someone uses an invitation link, they should

  • be able to accept the invite if their current session matches invite parameters (currently works like this)
  • or if there is no active session, or the session is not compatible, then a user should be requested to authenticate with the email prepopulated with the expected address (similar to login_hint being set)

Use-case:

We are leveraging Auth0 organisations to segregate each tenant in a multi-tenant application. As part of this, clients are able to add new users to their tenancy by inviting users via email + connection. For the most part this works as expected, but users who have multiple accounts (ie persona + work) have reported that if they accept the invite while accidently being logged into the other account, they are not prompted to use the correct account and instead get the above error. To compound this, they are unable to try again after logging out because the invitation has been expired by the action.

Case 1 - Accept invite with no previous session (unauthenticated)

If a user has no active session and accepts the invitation, they are redirected to the underlying Idp but the email field is not populated, allowing the user to enter anything they want (even if it does not match the email it was sent to)

Expected
Idp should have its username/email field prepopulated like login request sent with login_hint=xxxx

Case 2 - Accept invite with previous session not matching email from invite

If a user has an active session, alice@mail.com, and accepts an invitation for barry@mail.com, the “you’ve been invited” prompt appears but hitting continue invalidates the invitation, instead returning the error mentioned above

Expected
Though the resulting error makes sense, it feels like it should be harder to fall into this error state to improve the user experience. If the active session does not match the desired email address, nor a compatible connection, a user should be prompted to login as the invite’s intended recipient with the email field of the underlying Idp prepopulated (if supported).
I have tried achieving this by specifying prompt: 'login', which does prevent the automatic acceptance of the invite, but it then runs into the usability problem of Case 1 where a user can enter any email, even if it is not intended. I would also include the login_hint=xxx in the request, but the link generated by the management API does not expose the email of the intended recipient

Case 3 - Accept Invite with previous matching email, but not desired connection

Same as above, but instead of using the wrong email, having a previous session with the wrong connection does not ask the user to re-authenticate as the desired recipient

Work-arounds

I have partially been able to get around this by modifying the email template for organisation invites

<a href="{{ url }}&amp;email={{ user.email }}">Accept</a>

to include the email address so our application can pass login_hint and prompt: login during the invitation acceptance. This solution feels like a patch rather than an intended solution, and it does lose the seamless SSO experience of not having to re-authenticate