So I'm wondering if any of these would be useful; to anyone else...
user) to create the object first.
return success;which won't work properly if we want to add custom extra auth checking in the method. currently we'd have to throw an exception in the post auth observer to stop the authentication, which seems like a hack to me.