Hi there, just wanted to clarify some behavior I couldn’t find in the documentation.
Using Lock with Social sign-in and sign-up, it appears that an Auth0 User is created when attempting to “Sign in with X” as well when registering via “Sign up with X” (Google in my specific case).
Just wanted to verify that this behavior is expected. I have a multi-step registration (more than just email/password), so my login handler can redirect to finish the registration flow at this point. I was just a bit surprised to see a User created from a Sign in attempt.
This is my /login page using the Lock app. From here, I click Log in with Google.
My browser is already logged into cflowers.rp.1
After login, my custom rules mark the attempt as unauthorized since the account has not completed registration, I have Lock configured to display an error message in this scenario.
The signup and login buttons are the same when using a third party IdP like Google. In addition, there’s no way of stopping signup of social logins, because conceptually the signup does not happen at Auth0, but at the external identity provider.
So, the user would be created and exist, however, if you want to prevent access, you would use something of this sort in your rule return callback(new UnauthorizedError('Access denied'));
