Actions Pipeline didn't pause when redirect user to custom T&C agreement page

cmail · July 12, 2023, 1:51am

Hi there, I’m trying to migrate the rules script to actions. And in the login flow, I need to redirect the user to a separate T&C agreement page. and only users that click the agree button are allowed to continue the rest of the login flow.

if the user clicks the decline button, we need to reject that login.

Below is the action script I used:

exports.onExecutePostLogin = async (event, api) => {
  const hasAcceptedAnyTerms = event.user.user_metadata.agree;
  if (!hasAcceptedAnyTerms) {
    api.redirect.sendUserTo(`url placeholder`);
  }
};

It does redirect the user to that page, but even user clicks the reject button, it allows user to log in:

UI

import { useAuth0 } from '@auth0/auth0-react';

  const { isLoading, isAuthenticated, error, user, logout, getAccessTokenSilently } =
    useAuth0();

and I checked isAuthenticated goes from false to true immediately after the action redirect.

And there are several actions after that actions were executed, which means the actions pipeline did not pause when redirecting happened, which is not followed the docs said :
“Unlike Redirect Rules, Redirect Actions will suspend the Actions pipeline when a redirect is issued and will resume in the same Action that issued the redirect when the authentication flow is continued.”

Not sure what is the reason, but I can find the action details in the monitoring logs:

  "response": {
    "logs": "Redirecting is not possible in a 'oidc-basic-profile' flow or when prompt=none. Skipping redirect.\n",
  },

It was working before when using rules to do the redirect, does anyone know what is the issue? thanks.

marcelina.barycka · July 17, 2023, 11:30am

Hey there @cmail ! Welcome and sorry for relatively long time to replay!
Let me please bring here a bit different perspective:

The action pipeline did resume in the same Action that issued the redirect after the action has been completed. For Auth0, this action has been concluded as completed - the user has been redirected to your T&C agreement page and checked the “decline” there. But, as there is no logic that indicates to Auth0, that if the (!hasAcceptedAnyTerms), deny the access for a user, next actions within the pipeline run.

Solution proposition:

Following this article, to properly complete the access decision flow, can you please add a logic that handles a case when the user rejects your T&C agreement?

Roughly, it would be just about adding a below lines to your action in question:

exports.onContinuePostLogin = async (event, api) => {
if (!hasAcceptedAnyTerms) {
    return api.access.deny("Sorry, but you didn't accept the required terms!");
  };

Is this helpful for you? Any questions? And thanks for such a specific problem description.

PS: More about actions’ API object here.

system · July 31, 2023, 11:31am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.