We’re looking to disable the UI of our application if we block a user in auth0. Right now, we only know if the user is blocked when they attempt to log in. What are some methods you recommend for checking user/org metadata in auth0 without hitting the api rate limits by checking each user on each page load? What’s the best way to store user metadata that changes often? Should we store it outside of auth0?
I’m happy to assist you in discovering the solution you’re looking for.
If we are looking for an answer to how to end a user session on the Auth0 (IdP) layer, this session is invalidated once a user is blocked.
To invalidate a local application session (the UI you are mentioning), there is a way for that as well (that shouldn’t cause you troubles with rate limiting if we follow the recommended 15-minutes interval between calls) - please take a look at this doc, especially the part:
If needed to log users out of the application’s local session when blocking them, it is necessary to periodically poll the /authorize endpoint using the “prompt=none” parameter (AKA silent authentication) to check if the user still has a valid session on the Auth0 side.
exports.onExecutePostLogin = async (event, api) => {
if (event.user.app_metadata.didAnExpensiveTask) {
console.log(`Skipping the expensive task because it already occurred for ${event.user.email}.`);
return;
}
// do and expensive task
api.user.setAppMetadata("didAnExpensiveTask", true);
};
Hope this helps! Please let us know if you have any questions.