Hi @gg-dev, thank you for the feedback and detailed use cases!
Hey gg-dev, I understand your issue and upvoted it.
On a sidenote, cause you said auth0 might not work for you:
Since the Login flow is the only hook that triggers regardless of the concrete connection, this is where we put all the logic you described into and abandoned all the other hooks, which are exclusively for database connections.
In concrete this means that for social logins the only option right now is to create the users on login. Once you apply this logic you realize that the same logic can also be applied to database users. That leaves the other registration hooks totally useless once you decide to support social logins.
Thanks, we had set up Post Login code, but unfortunately it doesn’t fit our needs (some of which are listed in the OP).
This, together with the other 4 items of feedback that I posted, meant that we were unable to move forward with Auth0.
Glen.
Thank you for all the feedback and really sorry to hear that Glen!
I’ve also hit this limitation and had to work around it. I ended up doing as @hendrik described - I have “complete user registration” login action which checks a flag in the user’s app_metadata
and if the flag is missing, runs some code (in my case to assign roles and set user metadata based on a custom invitation it retrieves from an API in our systems), then sets the flag in app_metadata
to prevent the same code running a second time. This works, but it feels hacky, and is vulnerable to somebody inadvertently messing with the flag I’ve set in app_metadata
(I also check for logins_count > 1
, but I found the action runs more than once with logins_count == 1
as I refresh my SPA app page after first login, so testing logins_count > 1
on it’s own is not a safe way of preventing the code running multiple times).
Hi @wwarby,
Thanks for the additional context.
I think this solution makes sense for the time being. Just FYI, users shouldn’t be able to manage any data within app_metadata.
Thanks Dan. At the risk of hijacking this thread, I assumed it was reasonable to use app_metadata on the user object to store properties that describe something about the user which is never seen by the user and only written/read from server-side code (in this case a flag to preserve state that is written and read from an action script). Are you suggesting that isn’t safe? If so I’m not sure I understand what app_metadata on the user object is for.
How and when app_metadata is (or isn’t) presented to the user is going to depend on your implementation.
For example, it’s common that app_metadata is added to tokens, which could then be read by the user of a client side app, but the user would have no ability to manage its contents as it is in a signed token.
This is outlined here: Understand How Metadata Works in User Profiles
If you have any more questions about this, please create a new topic and tag me.
Is this scheduled to be included in the future? Have the same need.
Thanks for sharing your interest. This feature request has not been scheduled for development.
My team is also interested in the original post request, specifically related to the OP’s number 2:
“Deny a social registration if a user with the same email address already exists. (i.e. enforce unique email addresses)”
Thanks for considering!
Hi!
Also would like to upvote this, my team would aslo be able to “Deny a social registration”. Hope that this will be included for the future.
I really need a feature like this too.
upon registration, some sort of license key is generated in app_metadata and should be included in the welcome e-mail.
This works for e-mail based accounts, but not for social logins as the pre-registration isn’t triggered., and the post-login happens after the welcome e-mail is send out.
Thank you everyone for sharing additional context. We’ll analyze it at the beginning of next month in collaboration with our product team and potentially will add it to our engineering backlog. Thank you for your understanding!
This would make soooooo much sense to have. Now we have to hack everything into the Post Login flow, making it overly complicated.
Agreed this would be very helpful. We’re trying to limit users to those we manually create in the password database. We can prevent logins, but it doesn’t appear there’s any way to actually stop the user from signing up using a social connection and getting added to the tenant.
Upvote for post-user-registration as well. I expect y’all could probably 2 birds one stone here.
Chiming in here as this feature would also be very useful to me.
What would be really useful to me would be the ability to deny a social registration via an action. As a previous poster said, we’ve worked around this with a post-login action, but this does not stop the account itself from being created.
I worked around that by deleting the just created account on the action the problem is that it does not redirect to the sign up screen with an error.