I am using Auth0 for SSO to a white-labeled custom app (web and mobile). The app requires that the signup flow also be handled by the SSO provider, which I have set up.
The issue is that my app is private, so I want to allow signups only by email addresses that have been invited (invitations are sent directly from my CRM via Zapier through the custom app server).
What’s the best way for me to restrict users from signing up with non-approved email addresses?
How can I restrict social logins at signup but allow them during log in?
This one is trickier since social logins are triggered only in the post-login flow. The pre-user registration flow only runs before a user is added to a database or passwordless connection.
One way to handle this is to use a post login action to block social logins when it is the user’s first time logging. This works because users automatically log in when they sign up.
Here’s an example of how you might implement this: