Auth0 Lock - Social sign-in creates Auth0 Management User

cflowers · May 29, 2020, 6:18pm

Hi there, just wanted to clarify some behavior I couldn’t find in the documentation.

Using Lock with Social sign-in and sign-up, it appears that an Auth0 User is created when attempting to “Sign in with X” as well when registering via “Sign up with X” (Google in my specific case).

Just wanted to verify that this behavior is expected. I have a multi-step registration (more than just email/password), so my login handler can redirect to finish the registration flow at this point. I was just a bit surprised to see a User created from a Sign in attempt.

Thanks!

karen1 · May 29, 2020, 6:41pm

Good afternoon,

Could you provide some screenshots and steps so I can confirm the behavior you are referencing to?

Thanks!

cflowers · May 29, 2020, 6:52pm

Sure:

This is the initial state. My account email doesn’t exist within Auth0 Users.

This is my /login page using the Lock app. From here, I click Log in with Google.
My browser is already logged into cflowers.rp.1
screen2

After login, my custom rules mark the attempt as unauthorized since the account has not completed registration, I have Lock configured to display an error message in this scenario.

But if we now look at the Users page:

I now have a User with email verified, just from a sign-in attempt. Thanks for the help!

cflowers · May 29, 2020, 6:53pm

To clarify, for the /login page my browser is logged into the cflowers.rp.1@gmail.com account.

cflowers · June 2, 2020, 5:59pm

Little bump here, would like to clarify if this is intended behavior to create a User just based on a login attempt.

konrad.sopala · June 3, 2020, 1:13pm

Hey there!

Let me ping @karen1 regarding that

karen1 · June 3, 2020, 3:52pm

Good morning,

Sorry for the delay.

The signup and login buttons are the same when using a third party IdP like Google. In addition, there’s no way of stopping signup of social logins, because conceptually the signup does not happen at Auth0, but at the external identity provider.

So, the user would be created and exist, however, if you want to prevent access, you would use something of this sort in your rule return callback(new UnauthorizedError('Access denied'));

cflowers · June 3, 2020, 3:53pm

Awesome, thanks for clearing that up!

konrad.sopala · June 3, 2020, 4:02pm

We’re here for you !

system · June 18, 2020, 4:02pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.