Send email login to sign-up new users

[whaught]

TL;DR

New users should get an email to join, then create a password.

Design

Problems
At the moment users can create a new account without being invited. They exist for auth but have not Users entry (or access to any realm). At the moment this results in a redirect loop to the sign-in page (is cookie clearing working right?)
If the user both creates a login and was invited, everything works.

This maybe a potential abuse vector: folks can spam account creation without being invited
This is also a bad experience

Solutions

1. When an admin creates a new user, send the new user an email sign-in link.
2. Prompt the user to create a password for future sign-in
   2a) also register 2nd factor
3. Allow admins to re-send the email
4. Deprecate the (currently ad-hoc) email verification and new user auth creation flows

Alternatives
Pre-create the user with a phony password and call the password reset email flow?

[whaught]

/assign

[whaught]

/kind enhancement

[whaught]

/close

[google-oss-robot]

@whaught: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.