"Access Deny" from Action Shows No Error

konrad.sopala · September 27, 2023, 11:37am

Problem statement

A Passwordless connection has been configured in a tenant. Registration of new users is regulated through a Pre-User-Registration Action that conditionally denies access with the blocking condition:

api.access.deny("ERROR FOR LOGS", "ERROR FOR USER")

When the ‘deny access’ condition is triggered, the New Universal Login widget does not show the “ERROR FOR USER” message.

Symptoms

When using the New Universal Login, a Passwordless connection and a Pre-User-Registration Action that conditionally denies access with:

api.access.deny("ERROR FOR LOGS", "ERROR FOR USER")

A user attempts to register for the service. However, the user does not meet the criteria by which registration is accepted, with the result that the user is denied access. It may be reasonably expected that the blocked user will be shown an error message but none is displayed.

Steps to Reproduce

Steps that can be taken to recreate the problem.

Enable Passwordless connection for an application.
Add a pre-user-registration action with api.access.deny(“internal error”, “error for user”) for the passwordless connection.
Login with the passwordless connection.

Cause

In the Passwordless flow, the api.access.deny is encountered by the server when the postUsers call happens during the initialization of the Passwordless prompt (which prompts for the OTP code).

During a Registration (or Login) flow, any error condition that would deny access to the user will fail silently. No message will be displayed to the blocked user. This is by design, to avoid user-enumeration attempts, in which an attacker repeatedly attempts to gain access to an application. For further information, refer to OWASP Authentication Cheat Sheet

If a user is not permitted to Sign Up for any reason, the tenant logs are updated with details of the blocked attempt.

Login to the Auth0 dashboard.
Navigate Monitoring > Logs.
Search for Failed Signup (fs) events.

Solution

Auth0 does not currently provide an option to display a message to a blocked user. Customers who require this capability are encouraged to submit a feature request via our Customer Feedback form. This will help our Product team to prioritize features for future release of Auth0.

Related References

Topic		Replies	Views
Actions access.deny message not showing in new universal login Get Help login-experience , new-universal-login-experience	4	1388	August 31, 2023
Passwordless does not display errors in New Universal Login Get Help extensibility , login-experience , actions-extensibility	0	861	June 30, 2023
Auth0 Action api.access.deny is not displaying the provided error message to the user Get Help auth0 , login	4	4071	December 20, 2022
Api.access.deny error display in New Universal Login widget Product Feedback	3	772	February 22, 2024
Password Validation Message Shows on event.api.deny Get Help validation , pre-user-registratio , user_registration	2	3312	April 7, 2022