Auth0 Lock - Social sign-in creates Auth0 Management User

Hi there, just wanted to clarify some behavior I couldn’t find in the documentation.

Using Lock with Social sign-in and sign-up, it appears that an Auth0 User is created when attempting to “Sign in with X” as well when registering via “Sign up with X” (Google in my specific case).

Just wanted to verify that this behavior is expected. I have a multi-step registration (more than just email/password), so my login handler can redirect to finish the registration flow at this point. I was just a bit surprised to see a User created from a Sign in attempt.


Good afternoon,

Could you provide some screenshots and steps so I can confirm the behavior you are referencing to?



This is the initial state. My account email doesn’t exist within Auth0 Users.

This is my /login page using the Lock app. From here, I click Log in with Google.
My browser is already logged into cflowers.rp.1

After login, my custom rules mark the attempt as unauthorized since the account has not completed registration, I have Lock configured to display an error message in this scenario.

But if we now look at the Users page:

I now have a User with email verified, just from a sign-in attempt. Thanks for the help!

To clarify, for the /login page my browser is logged into the account.

Little bump here, would like to clarify if this is intended behavior to create a User just based on a login attempt.

Hey there!

Let me ping @karen1 regarding that

Good morning,

Sorry for the delay.

The signup and login buttons are the same when using a third party IdP like Google. In addition, there’s no way of stopping signup of social logins, because conceptually the signup does not happen at Auth0, but at the external identity provider.

So, the user would be created and exist, however, if you want to prevent access, you would use something of this sort in your rule return callback(new UnauthorizedError('Access denied'));


Awesome, thanks for clearing that up!

1 Like

We’re here for you !

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.