I would need to have users verify their email address before logging in and otherwise deny access. This can easily be done with Actions or formerly Rules. In the case of an unverified email, api.access.deny(msg) is called. While for the registration flow this simply displays an error message within the Auth0 form, for the login flow it redirects the user to the destination page with the error passed in the url.
This is very impractical as we have applications that do not support handling the error information given by Auth0 at all and also it would require implementing error handling in every single application that uses Auth0 for authentication.
I therefore have two questions:
- Can my use case of enforcing email verification without redirecting to the target app in case of login refusal be solved differently?
- Is the design to redirect users to the target app in case of errors in the login flow intentional?
Edit: note, that my problem is basically the same as described in Show rule error in Universal Login - #10 by FDX where the last post states, that it’s currently not supported and should be solved with a custom error page. Unfortunately, we want to SSO into a service, where can’t adjust business logic, hence implementing a custom page is not possible.