Registration only via organization invitations

Hi all!

I am trying to remove the sign-up option of the universal login and only allow new sign-ups through an organization invitation E-Mail.
When I disable the registration of a new user for the database connection (“Disable Sign Ups”) the sign-up via organization invites is also disabled, correct?

So the only possibility is to use this proposed workflow https://auth0.com/docs/customize/email/send-email-invitations-for-application-signup. Essentially I have to create a user in the backend and sent a password-reset mail disguised as a invitation mail.

However, this flow does not account for organization information (name, logo) in the invitation/pw-reset-mail and the case of multiple open invitations to different organizations.

We have the following requirements:

  1. The invitation mail must contain information of the corresponding org ( logo and name)
  2. The user can only be added to the organization via the API after the password-reset/signup, as we need to differentiate between orgMembers with and without accepted invitations.
  3. An invitation has to be created via the auth0 api in the backend, which we display in the frontend.
  4. The correct UI for either password change and sign-up via Invitation has to be displayed after clicking on the link in the Email (the part “Add query parameters ticket URL” in the link above is unclear to me :frowning: )

So far we tried the following:
In the backend:

  1. Create user with random password, we add the organization information into the user_metadata field, to access the info later in the invitation/pw-reset-mail (logo and orgname). If the user already exists, which could mean he has already been registered or that he has another open invitation,
    we append the organization information as a new entry to the user_metadata.
  2. Create invitation, we set ‘send_invitation_email’ = false
  3. Trigger a password reset mail for the invitee, we adjust the pw-reset-template according to the information in the user-metadata → pw reset mail or invitation with org info

After the user clicks the link and changes the password, we inserted the following steps into
the post-password-change action:

  1. Add user to the org listed in his user-metadata
  2. Assign roles to user (also listed in user-metadata)
  3. Delete the corresponding invitation
  4. Update the user-metadata by removing the org’s metadata

This process is a rather complicated attempt of a solution to a seemingly simple problem and it has some difficult edge cases, when there are multiple accepted and open invitations for a single person. Is there a more elegant solution to the problem?

Something like a option to activate invites only would be nice or the possibility to redirect to a complete-invitation site in the pre-user-registration action depending on the invitation state of the user.
Additionally, any clarification on the “Add query parameters ticket URL”-section in the link above is highly appreciated.

Thank you very much for your time and I look forward to your answers!

7 Likes

same here, did you find solution?

Any news on this topic? Having the same problem…

Same. It’s kind of frustrating that there seem to be posts about this going back years with people with the same problem, and still no great solution.

1 Like

Also looking for this.

:raised_hand: same same … organizations is a great feature, but so many things missing.

1 Like

Same… I mean what is the point of invite only sign-ups if you still have a global sign-up enabled? And otherwise people with invite cannot set a password?

So it has been some time since we worked on the problem, but our solution, what also our contact at auth0 proposed, was to use the branding API to edit the HTML of the Login/SignUp widget to insert some custom css to hide the signup button and hyperlink. However this still does not block the API call the auth0. You would have to handle the authorization of a user without an organisation in your backend somehow.
According to my colleague a paid subscription was necessary as well to access the branding API.

https://auth0.com/docs/api/management/v2/branding/put-universal-login

this is still really hacky, but apparently the only solution there is at the moment

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.