"Access Deny" from Action Shows No Error

Knowledge Solutions
1

Problem statement

A Passwordless connection has been configured in a tenant. Registration of new users is regulated through a Pre-User-Registration Action that conditionally denies access with the blocking condition:

api.access.deny("ERROR FOR LOGS", "ERROR FOR USER")

When the ‘deny access’ condition is triggered, the New Universal Login widget does not show the “ERROR FOR USER” message.

Symptoms

When using the New Universal Login, a Passwordless connection and a Pre-User-Registration Action that conditionally denies access with:

api.access.deny("ERROR FOR LOGS", "ERROR FOR USER")

A user attempts to register for the service. However, the user does not meet the criteria by which registration is accepted, with the result that the user is denied access. It may be reasonably expected that the blocked user will be shown an error message but none is displayed.

Steps to Reproduce

Steps that can be taken to recreate the problem.

  1. Enable Passwordless connection for an application.
  2. Add a pre-user-registration action with api.access.deny(“internal error”, “error for user”) for the passwordless connection.
  3. Login with the passwordless connection.

Cause

In the Passwordless flow, the api.access.deny is encountered by the server when the postUsers call happens during the initialization of the Passwordless prompt (which prompts for the OTP code).

During a Registration (or Login) flow, any error condition that would deny access to the user will fail silently. No message will be displayed to the blocked user. This is by design, to avoid user-enumeration attempts, in which an attacker repeatedly attempts to gain access to an application. For further information, refer to OWASP Authentication Cheat Sheet

If a user is not permitted to Sign Up for any reason, the tenant logs are updated with details of the blocked attempt.

  1. Login to the Auth0 dashboard.
  2. Navigate Monitoring > Logs.
  3. Search for Failed Signup (fs) events.

Solution

Auth0 does not currently provide an option to display a message to a blocked user. Customers who require this capability are encouraged to submit a feature request via our Customer Feedback form. This will help our Product team to prioritize features for future release of Auth0.

Related References

2 Likes