Use Case
We have multiple applications, let’s say public and private and want users with the private role to be able to access the private application on login. All other users (without the private role) will be denied at login.
Current Solution
We created a login action to check if the user has the needed private role. The private application has a metadata key access_role with the value private. The action:
I understand that you have encountered a redirect loop with your Post-Login Action.
The behavior you have observed happens because the user has not logged out and retains the session from the past, which is when they were denied access.
Hence why, when the user tries to log in again, they’re immediately sent to the error page. The same is true when a user successfully logs in. If they do not log out, they will continue to have access to the page.
In this situation, I recommend calling the /v2/logout endpoint. Please see our Logout documentation for more information.
Lastly, let me also add that I have checked your tenant settings and found that your Check Env Access Permission Post-Login Action calls the api.redirect.sendUserTo() method without resuming the authentication flow.
To resolve this, you must call the /continue endpoint to resume the authentication. Please check out our Redirect with Actions documentation which covers these steps in more detail.
Our solution: we don’t use api.access.deny() anymore but use api.redirect.sendUserTo('https://{auth0_tenant}.eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fexample.com').
With this, the not-allowed user will be logged out immediately after the login and gets redirected to the specified returnTo URL.