I am currently trying to implement a signup / registration flow for a consumer facing web-application based on React, which uses okta-auth-js to allow a custom login form.
In my experience, the following flow for user-registration (signup) is pretty standard for SaaS products, yet I can’t seem to figure out how to implement it with okta - given that I do not want to make use of the okta-hosted signup form.
The flow should be as follows:
1. User visits the custom signup-page in our SPA, is asked for a (primary) email and a password.
2. The user clicks “signup”, my SPA issues a request to our backend API, which in turn uses a private token to authorize requests to okta’s rest api. It uses the okta REST API to create the user within okta using this endpoint: https://developer.okta.com/docs/reference/api/users/#create-user-with-password and the “activate” parameter set to false. In the frontend, the user is now prompted to check his/her inbox for an activation email.
From here, the flow deviates from my expectation:
3. The user finds an activation email in his/her inbox, clicks a link contained in it and is redirected to our app, where he can now sign in with the credentials provided in 1.
3. The user never receives any activation email (as stated in the documentation of the endpoint).
Is it at all possible to build a fully custom customer signup experience using the okta-rest-api that avoids sending the user to the okta-hosted pages?
Do I need to implement my own activation-email flow in this case?
Now I am aware that I could use another endpoint of the API to create the user without credentials, but the activation email sent with that takes the user again back to the okta hosted “specify password / recovery question”-screens, which I’d like to avoid.
Thanks in advance