I have my own authorization server that implements OpenId Connect protocol. Also I have multiple clients (a mobile app, a single page app, a server-side app) that authorize using the auth server and utilize the same resource server (api).
Currently, the only way to create new users in my client applications is to send an API request to the resource server being authorized using user credentials. I want to add an ability for new user to self-register for both the web apps and the mobile app.
But in the web app, users should be able to register only if they have been invited by an existing user. On the other hand, mobile users can register both from scratch and having been invited by another user.
Also, in the future, I want to connect my apps with a third-party single sign-on service like Google, Twitter and etc.
About the invitation system: what I've considered universal approach here is to add an endpoint in the API that allow authorized users to create registration codes that have some permissions attached to it. This codes then are used by new users to register either on the web or mobile apps. I'm neither an OpenId Connect or OAuth 2.0 specialist, but I've read much resources and haven't found best practices about what is the good solutions in this problem.
Is there common and good approaches to solve this problem? Are provided ideas considered an appropriate solution? If yes, how do I figure out the part with linking users to the appropriate client application register form?
My ideas are the following: create an API endpoint that allow authorized clients to create new users as well as endpoints to create invitation codes for authorized users. On the auth server page set register link that leads to the respective application register page (what technically I have no idea how to implement, considering all the clients utilize the same server).
OpenID Connect allows to trigger a registration flow: see: https://openid.net/specs/openid-connect-prompt-create-1_0.html
The invitation is not covered by OIDC/OAuth as far as I know. I'm currently looking into a similar requirement.
Also, it seems like the SCIM protocol does not cover invitations either.
I guess the closes you can get with standard protocols is to create a user (e.g. via SCIM) set a secret default password and send a password change email.