Invite only registration flow and user management?

Hi guys,

I am trying to prototype the following scenario for a new application and would be grateful of a little help getting started:

We want to use Okta for user management. We’d like to use the User API to create new user accounts initially without a password. When an account is created we’d like the user to receive an email asking them to confirm their account, which would take them to Okta where they would set their password. After that we’d like them to be forwarded to, or at least requested to click a link to our web app. Ideally Okta would redirect them and pass in an access token via a callback page so they would be logged in immediately and can start using our single page web app.

We would prefer that users manage their account on Okta, but we need to ensure every user has an assigned role and an optional array of OrgIDs - these would be in the default access token claim and be verified by our web app. The user must not be able to see or change their role name or Org IDs.

Does the above sound plausible or am I completely off track? If so what steps do I need to perform on Okta to make our application user management work this way?

Thanks in advance!

Matt.

That sounds plausible. If you download the postman collection or look on the dev api pages you can find the basic create user without password example script. Make sure to set sendemail or activate to true then an email can be sent to the user. (You can change wording and look of the initial email within your tenant).

They should be logged in once the account is created so you won’t need to redirect them to the web app to login them in (unless they need to go through the web app but you will have to prompt the user to go to your app after logging in).

You can create a custom array for Okta profile as an additional variable. However I don’t recommend storing access tokens as they can expire or be seen in plain text which is something you want to avoid. The user themselves could be able to see it through the api /api/v1/users/me (this is through the browser). If that will cause security issues it may be a good idea to store something else to reference the access tokens from a secure database.

Thanks @abroadhurst that’s really helpful!

Hi there,

Thanks for the above. Just to be clear, is there a way that after a user receives the activation email, completes the verification/welcome steps (creating a password, selecting an image, etc.) that they can be redirected to the application for which they registered, rather than the Okta dashboard where they would ‘Add Apps’?

Create User without Credentials

https://${yourOktaDomain}/api/v1/users?activate=true

I ask because my application is a custom app rather than enterprise.

You can modify the welcome email to include a link that directs them, through okta into the application however that is as close as you can get to it. Another option would be to automatically assign the app to the user via a group rule or automations.

Thanks very much for the reply. By adding a group rule within Okta to automatically assign the app to the user, once the user completes the verification/welcome steps, will they be redirected to that particular app?

No, I don’t believe so. You will need to get the user to click on the app. Alternative you could set up your own system to complete the welcome email on their behalf (via selenium) then create a intranet where they can complete a custom form by clicking on a link from the custom email format from okta (that will pass the dedicated values for selenium to fill in) and once the form is completed, you could redirect them to the first app on their dashboard (assuming it is assigned via a group rule). However this will only work on creation of that new user. You will have to set up a system to link them to the app each time. Eventually they will have to click something to be redirected to the app; this is a lot of work for appearances however it will work.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.