Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

User account creation with temporary password in email. #141

Closed
dealproc opened this Issue Nov 2, 2013 · 19 comments

Comments

Projects
None yet
5 participants

dealproc commented Nov 2, 2013

Feature Request: Would be nice to issue the email with a temporary password that we can force the user to change at their first login.

Owner

brockallen commented Nov 2, 2013

Emailing the user a password is a bad idea -- they'll use their email as password storage and will never be forced to change it. I don't plan on implementing this -- sorry.

dealproc commented Nov 2, 2013

What about if we did similar to what you have for changing email... email them a link that they are "invited" to the membership pool, and they finish the work there? My point being, i have no way of creating a user in the system without providing a password to the membership product, and it's going to be difficult for a support tech to create an account for someone as part of a billing account setup. Just thinking through the scenarios we are facing.

Owner

brockallen commented Nov 2, 2013

Yea, this is already a TODO. See this one: #130

Basically MR does need to support some way of supporting admin created accounts.

dealproc commented Nov 2, 2013

different use case.. this is i want to create the placeholder for a new user, as a tech on the product, and setup the accounts permissions before the user finishes their account creation, etc. there's more biz logic against it, but those bits are outside the scope of MR.

Probably tomorrows task to pull latest from /master on your stuff to my own copy of the repo and try to script in what i need to support the second bit, hopefully to fulfill #130 for you.

Owner

brockallen commented Nov 3, 2013

So perhaps you could use the existing password reset APIs with a custom event handler to send a specially worded email that allows them to get sent to what would normally be the password reset screen, but in your system it appears as a "complete you account creation" screen where they enter a password. IOW, i think this flow can be accommodated with the current extensibility points without adding additional complexity to the system. give it a try and let me know if this approach works.

dealproc commented Nov 4, 2013

Yea.. that's this week's task. Thought I'd be hammering that out yesterday, but alas, i was fried and couldn't bring myself to sit in front of the computer for any length of time. Should be the last piece of this puzzle.

dealproc commented Nov 5, 2013

after thinking about this... you're right. this doesn't get done until the user finishes their profile. Can and should be done outside the scope of MR until they come in to finalize the profile.

@dealproc dealproc closed this Nov 5, 2013

Owner

brockallen commented Nov 27, 2013

BTW, I spent some more time thinking about this, and an admin-created account without a password of any sort is not a good idea. It's possible that the admin enters the wrong email, and an email verification token by itself is dangerous to verify the account. You need the email verification token and some sort of password (even if it's the user's last name, their last 4 of social, whatever). This prevents admins from making mistakes.

I had this on my internal TODO for a while, but having said all of this, I decided I won't be trying to support this scenario given that I think it's a bad security practice.

Yea... after thinking it through, and having a few discussions with a few other people, I've changed my thought on it. no worries.

I think a good example of this working is www.basecamp.com. Their onboarding process for a project allows you to type emails to invite and then it automatically send an invite to those emails, inviting them to set their first name, last name, and password. We have a similar top-down, b2b use-case, where user-driven registration really doesn't make much sense because it's usually a company administrator setting their projects up.

Looks like this was added to master. Thanks Brock works great.

Owner

brockallen commented Dec 13, 2013

Yes, I've been trying to support that scenario. What exactly were you looking for? I still think it makes sense for an admin-created account top set some sort of initial password. This prevents mistakes (email typo, for example).

In our case it's almost always company domain emails, so the while typos happen, the typical typo would result in someone at the client company gets an unexpected email. There is a risk there, I agree with you, but it's pretty small. The cost of having a default password provided by the admin is they just paid for a license and now have to go and hunt that information down from all their coworkers. Not a very friendly on-boarding process. Last name is about the best candidate I can think of and even that has problems (typos of that value).

Owner

brockallen commented Dec 13, 2013

Yea... but in this scenario last name is safe-ish since it's a corp environment. Also, you can also use the "must change password" flag that's now in the DB.

So, just so I'm clear -- you're happy? Or is there still a missing feature?

I'm happy, thanks.

Hello @brockallen and everyone else,

I know this issue was opened quite a while ago but currently I am facing a similar scenario to the one @keithharvey talked about in his comment (the basecamp.com example). Basically, I need to implement an invitations based onboarding process (closed registration) through which users will only be allowed to signup with an invitation. Obviously, this is something quite usual in many applications, mainly in their first market stage as a mechanism to grow their user base in a controlled way.

I've been working with MR for a quite a while (together with Thinktecture Identity Server 3) and read its related documentation but I have not been able to find the way to support this use case, although @keithharvey in his comment mentions it is really supported.

Any explanation or hints about how to implement this behavior if actually possible would be really appreciated.

Thank you all in advance and best regards.

Owner

brockallen commented Jan 23, 2016

Something like an invitation code you might need to build yourself. Then once the user has arrived via the code you can walk them thru the account creation process, and since you're confident that they are in control of the email that you sent the code to, I'd say you can mark the email as verified.

Ok, that's what I wanted to know. Thanks a lot for your help.

Ok, that's what I wanted to know. Thanks a lot for your help.

Hi @robertorodes,
could you provice a bit of code or steps to be done to implement the invitation process?
Or didn't you implemented it?

Thank you very much!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment