Auth0 Home Blog Docs

Workflow to "Always create an Auth0 identity"

#1

We are connecting a partner organization via an enterprise connection and wondering if it is possible to construct a login / registration flow that requires the user to create an Auth0 identity first, that we then link their enterprise identity to. We have use cases where we want the user to persist even if they leave the partner organization. Something like:

  1. User attempts to log in with enterprise email address,
  2. Is there an existing Auth0 identity with that email address?
    1. If Yes, Is the enterprise identity already linked to the Auth0 identity?
      1. If Yes, continue the login flow,
      2. If No, link the identities (Auth0 rule) and continue the login flow,
    2. If No, error / redirect to Auth0 identity creation flow,

One immediate question that comes to mind: If you have an enterprise connection for users from ‘foo.com’, can someone register an Auth0 identity with a ‘foo.com’ email address?

I’ll attempt to test what I can myself, but if any of the experts has insight here, that would be appreciated.

#2

Hi @markd,

In short, that can be achieved, but you would have to use Auth0.js rather than Lock, in order to perform your custom logic. For example (assuming you use the hosted login page):

  1. Build a custom UI using Auth0.js on the hosted login page
  2. The custom UI could ask the user to enter an email address (don’t show the password field).
  3. Once entered, you could make a call to your backend, which could query the Management API to check if an enterprise connection users exists with the same email address
  4. Perform your custom logic based on the result of (3).

As for the second questions, yes, users can register in two different connections using the same email address.

1 Like
#3

Thanks @prashantT. This is very helpful. I suspect customizing our Universal Login page like this may be more than we are willing to take on right now, but I’ll feed this back to the team so they can decide.

#4

What about a process, possible a post-user reg hook, that implements something like:

if enterprise_user and !auth0_user:
  create_auth0_user()
  link_users()

The account lining rule would handle the case where the user already had an Auth0 account under the same email address. The above would be for net new users.

More generally, we want users who join or leave the partner organization to persist in our systems as some of them have other business with us. We would prefer to avoid having them re-register.

closed #5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.