Invite only registration flow and user management?

Hi guys,

I am trying to prototype the following scenario for a new application and would be grateful of a little help getting started:

We want to use Okta for user management. We’d like to use the User API to create new user accounts initially without a password. When an account is created we’d like the user to receive an email asking them to confirm their account, which would take them to Okta where they would set their password. After that we’d like them to be forwarded to, or at least requested to click a link to our web app. Ideally Okta would redirect them and pass in an access token via a callback page so they would be logged in immediately and can start using our single page web app.

We would prefer that users manage their account on Okta, but we need to ensure every user has an assigned role and an optional array of OrgIDs - these would be in the default access token claim and be verified by our web app. The user must not be able to see or change their role name or Org IDs.

Does the above sound plausible or am I completely off track? If so what steps do I need to perform on Okta to make our application user management work this way?

Thanks in advance!

Matt.

That sounds plausible. If you download the postman collection or look on the dev api pages you can find the basic create user without password example script. Make sure to set sendemail or activate to true then an email can be sent to the user. (You can change wording and look of the initial email within your tenant).

They should be logged in once the account is created so you won’t need to redirect them to the web app to login them in (unless they need to go through the web app but you will have to prompt the user to go to your app after logging in).

You can create a custom array for Okta profile as an additional variable. However I don’t recommend storing access tokens as they can expire or be seen in plain text which is something you want to avoid. The user themselves could be able to see it through the api /api/v1/users/me (this is through the browser). If that will cause security issues it may be a good idea to store something else to reference the access tokens from a secure database.

Thanks @abroadhurst that’s really helpful!

Hi there,

Thanks for the above. Just to be clear, is there a way that after a user receives the activation email, completes the verification/welcome steps (creating a password, selecting an image, etc.) that they can be redirected to the application for which they registered, rather than the Okta dashboard where they would ‘Add Apps’?

Create User without Credentials

https://${yourOktaDomain}/api/v1/users?activate=true

I ask because my application is a custom app rather than enterprise.