Bug in Okta verification email flow

Questions
1

Hi,

As per one my requirements, I need to register new users and have they email verified before enables the sign in feature. The application flow should be the following:

  1. The user provides the username/email and password and clicks in the registration button.
  2. The system should register it with non-verified email status and send a verification email.
  3. The user should click on the link and has the email verified.
  4. The user must be redirected to the application homepage.

Currently, I am able to create the user by the following API:

https://myapplication.com/api/v1/users?activate=false

Then I call the following API to active it and send the email verification link:

https://myapplication.com/api/v1/users/{{userId}}/lifecycle/activate

After that, the user receives the verification email and also its status has changed from Staged to Active

The problem that I am facing is that even if the user does not click on the verification link, it is possible to execute the sign in using the following API call:

https://myapplication.com/api/v1/authn

Is there a way to disable the user sign in until it verifies the email?

Can someone please guide me on the right path or letting me know what I am doing wrong here.

Thanks in advance.

2

Hi Aroundeen,

Ive met the same exact issue recently while developing a login. The workaround I’ve been given was to immediately call https://myapplication.com/api/v1/users/{{userId} }/lifecycle/deactivate after sending the email, so the user wont be able to login even though he isn’t verified

3

At the end of the story we have moved our app to another service provider. Is really insane facing this type of issue. We use a service provider to do less work…not more work.
Good luck!