Hi. We want to block certain users from signing up to our site (based on their email domain).
What I’ve tried is to add a Login-flow Action that checks the user’s email and calls api.access.deny(...) if they should be blocked.
This doesn’t really work good for us:
The user is still created on Auth0 - we don’t want them to be able to sign up at all.
They are still sent a verification email, even though they are blocked. And that just verifies them and links them back to the site… They should not receive any email at all.
How can we actually block a user from signing up? It should work for social logins too, so “Pre Registration” flow will not help…
Unfortunately, this is a limitation with Actions when using Social Connections to sign up and log in.
Generally, you would use a Pre-User Registration Action to block and prevent users from signing up. However, this flow does not run for Social Connections.
As a working around, we recommend using a Post-Login action to deny the users from log in based on their email domain. However, please note that this flow cannot prevent users from signing up and it will still create a user profile. It is unfortunately unavoidable.
I’m landing on this late, but there is a solution to this problem. It is true that external connections (social, enterprise) land at the post-login flow after the profile has been created. But, the action can both reject the login AND delete the profile that was just created using the management API. You have the new user ID.
In case anybody needs it, I created the code for a starter action that deletes the profile and blocks the login, and published it at GitHub - jmussman/auth0-block-idp-signup.