Overview
This article addresses how an organization can to restrict sign-ups to only invited users for a particular connection and application, even when general sign-up for that connection is disabled. It provides a solution to prevent uninvited users from signing up while still allowing invited users to accept their invitations and create an account.
Applies To
- Organizations
- Connections
- Applications
Solution
To achieve the desired behavior, follow these steps:
Configuration Steps
- Disable Sign-Up for the Connection:
- In the Auth0 Dashboard, navigate to Authentication > Database (or the relevant connection type).
- Select the specific connection you are using.
- Ensure that the “Allow Sign Ups” option is disabled.
- Add the Connection to the Organization with Sign-Up Enabled:
- In the Auth0 Dashboard, navigate to Organizations.
- Select the relevant organization.
- Go to the Connections tab.
- Add the connection that was previously disabled sign-ups for.
- Within the organization’s connection settings, ensure that “Enable sign-up” is checked. This allows invited users associated with this organization to sign up through this connection.
- Enable the Connection and Login Experience for the Application:
- In the Auth0 Dashboard, navigate to Applications.
- Select the application.
- Go to the Connections tab.
- Enable the connection configured in the previous steps.
- Ensure that the login experience for this application is set to “Prompt for credentials” or a similar setting that allows new users to provide their details.
Preventing Unauthorized Sign-Ups with a Pre User Registration Action
To prevent uninvited users from signing up even if they guess the organization ID, implement a Pre User Registration Action. This action will check if the user attempting to sign up has an active invitation to the organization.
exports.onExecutePreUserRegistration = async (event, api) => {
const { ManagementClient } = require('auth0');
const management = new ManagementClient({
clientId: event.secrets.UM_M2M_CLIENT_ID,
clientSecret: event.secrets.UM_M2M_CLIENT_SECRET,
domain: event.secrets.UM_M2M_DOMAIN,
});
const invitations = await management.organizations.getInvitations({ id: event.secrets.organizationId })
const inviteeEmails = invitations.map(item => item.invitee.email)
const userEmail = event.user.email
const isInvited = inviteeEmails.includes(userEmail)
if(!isInvited){
api.access.deny("You need an invitation code to sign up.","error")
}
};
Please note that this action is just an example and it is not intended to be used as is.