I’m really disappointed by the lack of an invite feature for passwordless authentication methods.
However, for anyone looking for a workaround, here’s how we’re doing it:
-
Generate a short invite URL within our own app:
https://{your domain}/confirm-invite/{random}. It’s even better if the URL is signed. -
Manually send the invite link to the user via email or phone number.
-
When the invitee visits the URL above, we determine a suitable passwordless connection to use (e.g., SMS, Google, or Apple).
-
Continue with the normal login flow after setting the connection and login hint. For example:
If, in step 3 above, we decide the user should sign up or log in with a phone number, it would look like this:
https://{yourDomain}/authorize?
response_type=code&
client_id={yourClientId}&
redirect_uri={https://yourApp/callback}&
scope={scope}&
audience={apiAudience}&
state={state}&
organization={org_id}&
connection=sms&
login_hint=+12125551212
If we decide to have the user sign in with Google, it would look like this:
https://{yourDomain}/authorize?
response_type=code&
client_id={yourClientId}&
redirect_uri={https://yourApp/callback}&
scope={scope}&
audience={apiAudience}&
state={state}&
organization={org_id}&
connection=google-oauth2
The problem with the above approach is that a user can change their phone number or sign in with a different Google account, in which case you’re stuck with a mismatch of details between the invitation and whatever Auth0 returns.