I’m working on a Flow in our Auth0 tenants that has three Actions. The first action includes a conditional call to api.access.deny. I expect when this deny call is made for the Flow to exit, as per the Auth0 action docs here: Actions Triggers: post-login - API Object
When the deny is triggered (which I can verify is happening because of the error message we receive back from Auth0) it does not exit the Flow but instead carries on and executes the next two Actions. This causes a corrupted state in our full auth flow that the user cannot escape from.
I’d like answers to the following questions:
Is the documentation for api.access.deny correct; that is deny should exit the Flow at the end of that Action and not call subsequent Actions?
Is there anything that can negate or cancel the behaviour of calling deny in an Action?
How should I exit a Flow from an Action if this is actually incorrect documentation?
I understand that you have experienced issues with exiting the Post Login Action when using the api.access.deny() method.
First, to address your questions:
Yes, this is correct and the expected behavior.
No, the api.access.deny() method will exit the Action flow and show the error message to the user.
The api.access.deny() is the correct method to exit a flow from an Action.
After testing this myself, I could not reproduce the same observations as you. Instead, I was able to exit the Action flow successfully. I checked this using the Real-time Webtask Logs extension with two additional Action scripts to print a message before and after the Deny Action script to verify the behavior.
To add on, I have checked your Action scripts on your Tenant and can see the scripts you mentioned and see no visible issues with them. I would expect the Action to exit as usual when it reaches your conditional statements.
I hope this helps!
Please let me know how things go and if you have any further questions.