We are using the functionality to force users to have their email verified and we ran into a situation we did not know it was possible.
A user registered a while ago, about 12 days, and only now they clicked in the verify link on their email. To our surprise, instead of being able to be verified and proceed, they got an “Authentication Error - Access Expired error” (view image attached).
Our questions are:
Is it possible to disabled this expiration?
Is it possible to customize this error screen?
We really need to have more control over this scenario and not have the default Auth0 look and feel be displayed.
For reference the user was created using the API directly.
Regarding the error message itself, as with all common email verifications if they aren’t accepted in a short period of time they are expired for security reasons. I am not sure the timeframe, though I believe the email message says.
Regarding the error message screen, we’ll do some checking on that.
What I really need to do is be able to customize this screen. I understand that errors could happen but the main goal is for our product to be able to keep its visual identity.
As a side note, I got this error for a user that had already verified. Which is odd.
The current default lifetime for the verification link is 432,000 seconds (five days). You can change the URL lifetime in the Dashboard (Email > Templates > URL lifetime ).
As for customizing, if you want to take control of the access expired case what you can do is set the redirectTourl field to a url of a page in your application, this can be set in the dashboard. When the link is expired the user gets redirected to that url with error_description=Access expired appended to it, at which point you could check this value and handle it.
Please let me know if this solves your issue!
You mentioned this error occurred for a user that was already verified, can you please clarify if they were sent the email by mistake or if the email was old and they clicked on the link?
Good to know we can configure the lifetime of the link. However, I’m still confused about the customization of the page.
If I understand you correctly, even when expired, Auth0 will redirect to the url I specify in the email configuration. Is that correct? If it is then I need to understand why that is not currently happening. I do have a URL configure but, when it errors out, it does not redirect to my app.