Restrict Sign-Ups to Just Invited Users for Organizations

Overview

This article addresses how an organization can to restrict sign-ups to only invited users for a particular connection and application, even when general sign-up for that connection is disabled. It provides a solution to prevent uninvited users from signing up while still allowing invited users to accept their invitations and create an account.

Applies To

  • Organizations
  • Connections
  • Applications

Solution

To achieve the desired behavior, follow these steps:

Configuration Steps

  1. Disable Sign-Up for the Connection:
    • In the Auth0 Dashboard, navigate to Authentication > Database (or the relevant connection type).
    • Select the specific connection you are using.
    • Ensure that the “Allow Sign Ups” option is disabled.
  2. Add the Connection to the Organization with Sign-Up Enabled:
    • In the Auth0 Dashboard, navigate to Organizations.
    • Select the relevant organization.
    • Go to the Connections tab.
    • Add the connection that was previously disabled sign-ups for.
    • Within the organization’s connection settings, ensure that “Enable sign-up” is checked. This allows invited users associated with this organization to sign up through this connection.
  3. Enable the Connection and Login Experience for the Application:
    • In the Auth0 Dashboard, navigate to Applications.
    • Select the application.
    • Go to the Connections tab.
    • Enable the connection configured in the previous steps.
    • Ensure that the login experience for this application is set to “Prompt for credentials” or a similar setting that allows new users to provide their details.

Preventing Unauthorized Sign-Ups with a Pre User Registration Action

To prevent uninvited users from signing up even if they guess the organization ID, implement a Pre User Registration Action. This action will check if the user attempting to sign up has an active invitation to the organization.

exports.onExecutePreUserRegistration = async (event, api) => {
  const { ManagementClient } = require('auth0');

  const management = new ManagementClient({
    clientId: event.secrets.UM_M2M_CLIENT_ID,
    clientSecret: event.secrets.UM_M2M_CLIENT_SECRET,
    domain: event.secrets.UM_M2M_DOMAIN,
  });

  const invitations = await management.organizations.getInvitations({ id: event.secrets.organizationId })
  const inviteeEmails = invitations.map(item => item.invitee.email)
  const userEmail = event.user.email

  const isInvited = inviteeEmails.includes(userEmail)

  if(!isInvited){
    api.access.deny("You need an invitation code to sign up.","error")
  }

};

Please note that this action is just an example and it is not intended to be used as is.