Auth0 Home Blog Docs

Any ‘good way’ to fail a login and keep user on the hosted login page?



I am trying to implement this feature without requiring our clients to do any work:

“When a user attempts to login (and provides valid credentials) but they have not yet verified their email, keep them on the Hosted Login Page (HLP) and present them with a validation message informing them that their email is not yet verified.”

It seems to me after researching this doco however, that this is not possible without significant (and likely very fragile) work:

The problems are essentially:

  1. what I really want to do is fail the login (easy - raise an UnauthorizedError in a rule), but not return an error back to the client (hard)

  2. in order to not take the user back to the client, I am trying to use a redirect in a rule (using the doco above), but it is clearly geared towards completing a successful authentication, not re-trying a non-successful login

So without going into more detail about how it is possible but very hard & fragile to accomplish the above, is this scenario possible using an approach that does not involve issuing a redirect within a rule, and does not provide a (HTTP) response back to the client, so that the user stays on the HLP?


At this time, I’m not aware of any mechanism to achieve what you describe that would not try to resort to a redirect rule. In summary, a failed authentication transaction due to a raised error in a custom rule will trigger the response to the client application and this behavior is not configurable.


Thanks for the reply. We have essentially (so far) 2 scenarios where keeping the user on the HLP is what we would do if we were ‘building it all ourselves’. Here are these scenarios:

  1. User attempts to login (using valid credentials) before having verified their email
  2. User attempts to login using social provider account that does not have an email (e.g. FB)

IOW, we would greatly prefer a built in, simple mechanism for keeping the user on the HLP if/when we fail the login. Otherwise all N of our clients must implement “when I get this or that error, I take the user (back) to the HLP”