Hi all!
I am trying to remove the sign-up option of the universal login and only allow new sign-ups through an organization invitation E-Mail.
When I disable the registration of a new user for the database connection (“Disable Sign Ups”) the sign-up via organization invites is also disabled, correct?
So the only possibility is to use this proposed workflow https://auth0.com/docs/customize/email/send-email-invitations-for-application-signup. Essentially I have to create a user in the backend and sent a password-reset mail disguised as a invitation mail.
However, this flow does not account for organization information (name, logo) in the invitation/pw-reset-mail and the case of multiple open invitations to different organizations.
We have the following requirements:
- The invitation mail must contain information of the corresponding org ( logo and name)
- The user can only be added to the organization via the API after the password-reset/signup, as we need to differentiate between orgMembers with and without accepted invitations.
- An invitation has to be created via the auth0 api in the backend, which we display in the frontend.
- The correct UI for either password change and sign-up via Invitation has to be displayed after clicking on the link in the Email (the part “Add query parameters ticket URL” in the link above is unclear to me )
So far we tried the following:
In the backend:
- Create user with random password, we add the organization information into the user_metadata field, to access the info later in the invitation/pw-reset-mail (logo and orgname). If the user already exists, which could mean he has already been registered or that he has another open invitation,
we append the organization information as a new entry to the user_metadata. - Create invitation, we set ‘send_invitation_email’ = false
- Trigger a password reset mail for the invitee, we adjust the pw-reset-template according to the information in the user-metadata → pw reset mail or invitation with org info
After the user clicks the link and changes the password, we inserted the following steps into
the post-password-change action:
- Add user to the org listed in his user-metadata
- Assign roles to user (also listed in user-metadata)
- Delete the corresponding invitation
- Update the user-metadata by removing the org’s metadata
This process is a rather complicated attempt of a solution to a seemingly simple problem and it has some difficult edge cases, when there are multiple accepted and open invitations for a single person. Is there a more elegant solution to the problem?
Something like a option to activate invites only would be nice or the possibility to redirect to a complete-invitation site in the pre-user-registration action depending on the invitation state of the user.
Additionally, any clarification on the “Add query parameters ticket URL”-section in the link above is highly appreciated.
Thank you very much for your time and I look forward to your answers!