Api.access.deny causes redirect loop

Use Case
We have multiple applications, let’s say public and private and want users with the private role to be able to access the private application on login. All other users (without the private role) will be denied at login.

Current Solution
We created a login action to check if the user has the needed private role. The private application has a metadata key access_role with the value private. The action:

exports.onExecutePostLogin = async (event, api) => {
    api.access.deny('Access denied.');

With the action enabled, logging into the private application causes an endless redirect loop, just like:

  • /callback?error=access_denied&error_description=Access denied.&state=123
  • /
  • /callback?error=access_denied&error_description=Access denied.&state=123
  • /

How to prevent this loop of death?

Hi @mgls,

Welcome to the Auth0 Community!

I understand that you have encountered a redirect loop with your Post-Login Action.

The behavior you have observed happens because the user has not logged out and retains the session from the past, which is when they were denied access.

Hence why, when the user tries to log in again, they’re immediately sent to the error page. The same is true when a user successfully logs in. If they do not log out, they will continue to have access to the page.

In this situation, I recommend calling the /v2/logout endpoint. Please see our Logout documentation for more information.

Lastly, let me also add that I have checked your tenant settings and found that your Check Env Access Permission Post-Login Action calls the api.redirect.sendUserTo() method without resuming the authentication flow.

To resolve this, you must call the /continue endpoint to resume the authentication. Please check out our Redirect with Actions documentation which covers these steps in more detail.


Thanks @rueben.tiow

Our solution: we don’t use api.access.deny() anymore but use api.redirect.sendUserTo('https://{auth0_tenant}.eu.auth0.com/v2/logout?returnTo=https%3A%2F%2Fexample.com').

With this, the not-allowed user will be logged out immediately after the login and gets redirected to the specified returnTo URL.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.