Trying to implement something I thought would be very simple but am starting to believe is not.
Have read numerous discussions on how Auth0 does not provide Password Expiration out of the box. While that seems very strange, there were numerous examples of “Rules” being used to enforce this.
However, all of these examples are legacy “Rules”, not “Actions”, and also seem to continue the login process regardless of my actions.
I have created an Action replicating the given rule, but the error is being pushed to my own application with the configured message:
api.access.deny("Your password has expired. Please reset your password.");
Is there not some simple way to, based on the Post-Login Action, deny the login and present the user with a message on the Universal Login page?
I feel like this should be trivially simple; given the conditions I check in post-login, the login is reversed/denied, and the user is redirected back to the login screen with an error message prompt indicating they need to reset their password via the mechanism on the Universal Login page. I don’t see why a series of redirect back and forth with the application behind the Auth0 login are needed for something like this?