Auth0 Actions: "error_description" is no longer included in callback URL when denying a user access post-login


We have encountered an issue where the error_description query string parameter is no longer being included in the callback URL for our application when we deny a user login inside a Post Login Action. This previously worked fine for several months now, but in the last few days, we have realised we are no longer receiving the error_description from Auth0.

What is happening?

  1. User registers an account.
  2. Auth0 sends a verification email to the user.
  3. User does NOT click the verification link, and instead logs in without verifying their email.
  4. Our Post Login Action denies the login e.g. api.access.deny(reason) where the reason is formatted like:
  5. Auth0 sends the user to our callback URL:
  6. The error parameter is correctly set to “access_denied” in the callback URL, but the error_description parameter is missing.
  7. Our app shows the user a generic error message instead of “please verify your email address”, because the error_description is missing.

What did we expect to happen?

  1. Both the error and error_description parameters are included in the callback URL.
  2. Our app is able to determine the correct error message to show the user, e.g. “please verify your email address”.

Are we doing something wrong here, or has the behaviour of Auth0 Actions changed?

1 Like

Hi @josh.cole,

I just tested the following Post Login Action and successfully returned the error description:

exports.onExecutePostLogin = async (event, api) => {
  api.access.deny('Post Login Action Error Message')

Can you please try creating a new action and test this code to confirm there isn’t something else causing the issue?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.