User creation workflow

[jpb06]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Hello!

Thank you for maintaining this lib! My team is using it since a while and it works just great.

We recently had a need for a custom signup flow, and we struggled to do what we wanted, ie:

• Create an auth0 user from an email/password.
• Perform a login on behalf of the user server-side (we don't want to prompt him for consent nor make him enter a second time his credentials).
• Redirect him to a nextjs page that requires a session per nextjs-auth0.

Auth0 support advised us to use auth0 node library to create the user and then call /oauth/token to retrieve an id_token and an access_token. After some back and forth with support, we were finally able to implement something that works.

You can find a POC here:
https://github.com/jpb06/auth0-silent-login

Now, the issue is we had to extract logic from nextjs-auth0 (the content of this folder, basically) to perform the following tasks:

• Shape/populate the session cookie payload
• Encrypt that payload
• Set the session cookie

From what I could gather, these responsibilities are spread out in internal code that is not exposed by the lib (StatelessSession class, TransientStore class, to name a few).

Redefining that logic in our own codebases is sub-optimal, as creating a session falls within the responsibilities of nextjs-auth0 in our opinion. If implementation details change on this lib, we would be exposed to regressions.

Describe the ideal solution

• Would that make sense to have this lib expose helpers to create a session manually?
• Is there something auth0 support and our team missed to answer this workflow?

Thank you for your time 🙇🏻

Alternatives and current workarounds

Partially related: #1207

Additional context

No response

[andresmarpz]

Related to #1751, which basically implies the need for an easier silent login workflow, which is highly necessary! Open to help if needed but big 👍🏼 to this issue.

[richardmon]

This appears to be a reasonable request. Requiring a newly created user to log in is detrimental to user experience. Hope this gets solved 👍 .

[donovan-fintool]

We also have a use case where we want to programmatically trigger a passwordless signup with /passwordless/start, verify with /oauth/token, then signup the user without going through universal login.

But I cannot find an easy way to manually set the session using the response from /oauth/token.

[vickywane]

Tad disappointing that this hasn't gotten any response.

The thing to this is updateSession() but it requires the user to be authenticated before modifying the session.

[rodsotdia]

@donovan-fintool Did you find a solution? I have a similar case than yours, I can have the response from oauth/token but don't know how to set the session

[donovan-fintool]

@donovan-fintool Did you find a solution? I have a similar case than yours, I can have the response from oauth/token but don't know how to set the session

Unfortunately no, we're probably migrating to another auth solution, as our developer experience with Auth0 has been disappointing.

[andresmarpz]

@guabu please consider this for v4, it's a highly necessary feature to have. Any kind of helper that makes our job easier regarding silent login will be highly appreciated.

[jpb06]

I migrated the repro/poc to next@15 / @auth0/nextjs-auth0@4 if that can help someone 🙇🏻

jpb06/auth0-silent-login#3

[frederikprijck]

Apologies for not getting back to this earlier.

we don't want to prompt him for consent

To avoid consent, you can configure your application as a first-party application, see: https://auth0.com/docs/get-started/applications/confidential-and-public-applications/first-party-and-third-party-applications.

nor make him enter a second time his credentials)

If you go to your application, click login / signup, then you signup, you are also logged in and are redirected back to your application without having to insert your password twice.

Additionally, we believe the user should own their password and we should not be logging in on behalf of the user by the means of using their password in your own system. If you want this, I would recommend looking into Client Initiated Backchannel Authentication. Additionally, our SDK is built to use the Authorization Code Grant, which requires the user to be redirected.

Long story short, to create a User we should either be:

• Have the user register themselves on auth0's signup page, which sets the session
• Understand that, in order to login, we need to have a session in Auth0 which does not exist if you create users in your own backend and call Auth0. Therefore it's expected that the user needs to provide their credentials when logging in to ensure we have a session with Auth0.

Closing, because I do think the solution is better found using alternatives to better guaranteed a secure system.