Auth0 Home Blog Docs

Active Directory group membership rule: loop after unauthorized access

sso
google-apps
active-directory-mem

#1

I’m an absolute beginner, trying to find out maybe a simple solution
this is my scenario:

  • school website with wordpress, with a restricted area for teachers only

  • teachers and student using GApps for Education

  • installed Auth0 plugin on wordpress website for authentication

  • set SSO and Single Log Out, Autoprovisioning in Auth0 settings, all working fine

  • set email domain whitelist rule to restrict access to my GApps domain users; used the default rule, it works fine

  • set Active Directory group membership rule, to only authenticate GApps users belonging to Teachers group (and therefore set on wordpress the permissions for the restricted area); it works fine; here’s the rule

    function (user, context, callback) {

    var groupAllowed = ‘Docenti’;
    var userHasAccess = user.groups.some(
    function (group) {
    return groupAllowed === group;
    });

     if (!userHasAccess) {
       return callback(new UnauthorizedError('Accesso non consentito'));
    
     }
    
     callback(null, user, context);
    

    }

now:

  • when a teacher logs in, it’s all ok
  • when a non-teacher user (but belonging to the whitelisted domain) tries to login, the standard rule returns the authentication error as shown in picture
    ![alt text][1]
    but clicking the Login (back) link, starts a loop
    the authentication process actually succeeds (on another tab of the browser the user is logged in on google), and the user can’t try to log in with different credentials on my website unless logging out manually from google on another tab

is there a simple way to change my rule, so that in case of unauthorized user:

  • the login process won’t succeed, or
  • he’s redirected to a simple logout screen, or
  • he can try with different credentials

I really am a newbie, tried to read documentation but didn’t find something useful and simple
thanks


#2