Feature: Provide a short title of your feature request/feedback.
Trigger the Pre User Registration flow for social and other non-database connection types.
Description: Give us some details about your feedback/feature request. Examples, screenshots, videos, etc. are helpful.
For some reason, the Pre User Registration flow does not run for social or other non-database connection types. This makes it impossible to:
Create a corresponding user in an external database, before the user is registered in Auth0.
Deny a social registration if a user with the same email address already exists. (i.e. enforce unique email addresses)
Set a user’s locale/language in metadata for use in email templates.
These are very significant limitations.
Use-case: Tell us what you are building. How would the feedback/feature improve your experience?
If this flow was extended to include social and other connection types, we would be able to use it to accomplish all of the items listed above. Without it, I’m not even sure if Auth0 will work for us.
Hey gg-dev, I understand your issue and upvoted it.
On a sidenote, cause you said auth0 might not work for you:
Since the Login flow is the only hook that triggers regardless of the concrete connection, this is where we put all the logic you described into and abandoned all the other hooks, which are exclusively for database connections.
In concrete this means that for social logins the only option right now is to create the users on login. Once you apply this logic you realize that the same logic can also be applied to database users. That leaves the other registration hooks totally useless once you decide to support social logins.
I’ve also hit this limitation and had to work around it. I ended up doing as @hendrik described - I have “complete user registration” login action which checks a flag in the user’s app_metadata and if the flag is missing, runs some code (in my case to assign roles and set user metadata based on a custom invitation it retrieves from an API in our systems), then sets the flag in app_metadata to prevent the same code running a second time. This works, but it feels hacky, and is vulnerable to somebody inadvertently messing with the flag I’ve set in app_metadata (I also check for logins_count > 1, but I found the action runs more than once with logins_count == 1 as I refresh my SPA app page after first login, so testing logins_count > 1 on it’s own is not a safe way of preventing the code running multiple times).
Thanks Dan. At the risk of hijacking this thread, I assumed it was reasonable to use app_metadata on the user object to store properties that describe something about the user which is never seen by the user and only written/read from server-side code (in this case a flag to preserve state that is written and read from an action script). Are you suggesting that isn’t safe? If so I’m not sure I understand what app_metadata on the user object is for.
How and when app_metadata is (or isn’t) presented to the user is going to depend on your implementation.
For example, it’s common that app_metadata is added to tokens, which could then be read by the user of a client side app, but the user would have no ability to manage its contents as it is in a signed token.
I really need a feature like this too.
upon registration, some sort of license key is generated in app_metadata and should be included in the welcome e-mail.
This works for e-mail based accounts, but not for social logins as the pre-registration isn’t triggered., and the post-login happens after the welcome e-mail is send out.
Thank you everyone for sharing additional context. We’ll analyze it at the beginning of next month in collaboration with our product team and potentially will add it to our engineering backlog. Thank you for your understanding!
Agreed this would be very helpful. We’re trying to limit users to those we manually create in the password database. We can prevent logins, but it doesn’t appear there’s any way to actually stop the user from signing up using a social connection and getting added to the tenant.
Chiming in here as this feature would also be very useful to me.
What would be really useful to me would be the ability to deny a social registration via an action. As a previous poster said, we’ve worked around this with a post-login action, but this does not stop the account itself from being created.