Feature: Restrict user registration to a specific group/other criteria

[blanchonvincent]

We would like to restrict the registration to an app to a list of users
So far, the only parameter I could see is the group.
We have segmented our users to different groups, and we would like to allow app registrations to a specific group.

Describe the solution you'd like
we would like to have a parameters (group or another one?) to say something like « User 1 can subscribe to the app A only if he belongs to a specific list, User 2 can only subscribe to app B and c, etc »

Describe alternatives you've considered
right now we do this check from our code but it could be better to have this constraint in the product itself.

Does it make sense for you?

[robotdan]

In the upcoming release for additional login providers (such as OpenID Connect, Facebook, Google and Twitter) we will have an option to allow registration using one of these providers.

This means that if you enable Google login for example, you will have the option of allowing automatic registration of a user for a particular application. So a user comes to your application and chooses to login via Google, a successful login would cause FusionAuth to create the user and register the user for the Application automatically.

In general we think people will want this enabled by default, but you will have the option to turn this off by application and by identity provider. In this configuration you would have to manually register the user for an application before they would be allowed to log in using an external provider.

We have also discussed allowing this type of behavior for native FusionAuth login. We would think of this as anonymous registration. This way you could build a single page web application with login and registration without requiring an API key to call FusionAuth.

Would either of these ideas work for you? In the scenario you describe where a user that is on a list or a member of a group for example is then allowed to register (subscribe) to an application, would you still be using an API key - but you want the list of users enforced in FusionAuth? Or are you thinking that if the criteria is met for a user to register (subscribe) this can be done without an API key or other form of API authentication. In this second case, the criteria simply removes the requirement to authenticate the API request.

[robotdan]

In version 1.30.0, you can restrict registration by email domain, or more specifically, you can restrict one or more email domains.

If there is a use case that the new domain blocking feature in version 1.30.0 will not cover, please re-open with a description of the use case.

Thanks!

[feraudet]

How to restrict registration by email domain ? I seen "Blocked domains" in the Tenant Security settings but I would like to deny all domains except some client domains

[mooreds]

@feraudet the feature Daniel mentions is documented here: https://fusionauth.io/docs/v1/tech/advanced-threat-detection/#registration-domain-blocking

1. It only blocks specific domains so you can't block 'all domains except '
2. It requires an enterprise license

You might want to consider a registration transactional webhook which could examine the domain provided by a user and fail if it didn't match a list.