Bug in Okta verification email flow

Hi,

As per one my requirements, I need to register new users and have they email verified before enables the sign in feature. The application flow should be the following:

  1. The user provides the username/email and password and clicks in the registration button.
  2. The system should register it with non-verified email status and send a verification email.
  3. The user should click on the link and has the email verified.
  4. The user must be redirected to the application homepage.

Currently, I am able to create the user by the following API:

https://myapplication.com/api/v1/users?activate=false

Then I call the following API to active it and send the email verification link:

https://myapplication.com/api/v1/users/{{userId}}/lifecycle/activate

After that, the user receives the verification email and also its status has changed from Staged to Active

The problem that I am facing is that even if the user does not click on the verification link, it is possible to execute the sign in using the following API call:

https://myapplication.com/api/v1/authn

Is there a way to disable the user sign in until it verifies the email?

Can someone please guide me on the right path or letting me know what I am doing wrong here.

Thanks in advance.

Hi Aroundeen,

Ive met the same exact issue recently while developing a login. The workaround I’ve been given was to immediately call https://myapplication.com/api/v1/users/{{userId} }/lifecycle/deactivate after sending the email, so the user wont be able to login even though he isn’t verified

At the end of the story we have moved our app to another service provider. Is really insane facing this type of issue. We use a service provider to do less work…not more work.
Good luck!