Hi,
I have a web application for which I would like to enable users to Signup to and Login to.
I would only like specific users to be able to signup, and I would only like the users which have signed up to be able to log in.
Most (if not all) users will be singing up from a specific list of organization domains, e.g. company1.com and org3.net, but I don’t want any user with a org3.net email to be able to sign up and login.
In any case, I’d like the default behavior to be 401/403 (access denied).
Going forward, (ideally) I would like to manage one whitelist of user emails that get access to the app, and for their Roles to be set according to, e.g. domain. So for example, all users with the email @org3.net would get a “Org3 Member” Role, which gives the user a “orgmember” scope/permission of something similar, but no access to the app. Then I would manually give specific users more specific Roles that would grant them access to the app itself.
But all solutions seem overly complex for what I believe is a rather simple request. In the first question I linked above, “dan.woda” says “it sounds like you are dangerously close to RBAC. This certainly could solve the problem, and may be easier. It is kind of set up to do what you are requesting.” But it is unclear to me how RBAC alone solves the problem in my case.
If you are planning on adding every user (email) to your application, you may want to consider an invite only setup. This allows you to invite user’s by inputting their email into the Auth0 UI. There is no email whitelist you have to maintain, because it is all done via the dashboard.
Let me know if that doesn’t satisfy your requirements and we can talk more about a whitelist solution.
I left out a rather critical part in my original post, I only remembered the tag: I’d like users to be able to login using existing social/organizational accounts that are linked to the same email address.
For example, if org3.org uses Google Workspace, I’d like bob@org3.org to be able to login using his Google account without having to setup a password.
Would this fit in with the invite-only approach?
Also, using the invite-only approach, would I be able to predefine the Roles a user would get once successfully registered and logged in?
No, the invite flow is not going to work with social connections. In that case, you could use a rule to manage a whitelist of emails.
Are the roles going to have any pattern? For example, will users of a certain email domain have the same role. (i.e. all users with @company1 domain have Company 1 role).
Is there a way that the whitelist rule can get the whitelist contents dynamically from some central source that will be simple to maintain without touching any of the Rules’ code?
Yes, new users should get an initial Role that defines the organization they belong to. This Role shouldn’t grant any “real” access, mostly used for identification.
Regarding the “invite-only” flow, adding new users would mean navigating to the Templates page and sending out an invite? Or is there a dedicated page in the Dashboard I am unaware of?
Yes, you can get it from a Dropbox file for example, but making the request to retrieve the file on every Auth0 request could slow down your login process. You could also use the Deploy CLI Tool to manage your rules code.
app_metadata might be a better fit for this info. How are you going to predefined which users get what organization?
I’ll have a look at the CLI Tool. A Dropbox file seems a bit odd, I meant something more along the lines of a list of users I manage somewhere else in the Dashboard (within Auth0), that the Rules can fetch and use.
I haven’t thought this through yet, I’m still a bit confused regarding the initial registration phase.
It’s not very clear to me how the invite-only flow works. Do I create the user, and then send the reset password link somewhere else?
I understand that “user invitation is basically a change password link repurposed as an invitation”, but I’m unsure how exactly the invitation should be performed.
If I wanted to invite alice@company1.com to register to use my app, what should I do?