In the Custom Universal Login during the create a profile step we are trying to verify (in the javascript) that the email address entered by the user exists already in Auth0, whether it be for the workflow to reset their password or to create a new profile. During the initial development we looked at including the client_id and client_secret values in the Universal Login script, but while this worked, it obviously is a major security issue as the Universal Login script exposes these hard-coded values to a would-be hacker in the response data visible in the browser’s F12 Developer Tools before the user has even logged in.
We thought about trying to move this into a custom action, but I wasn’t sure if a custom action can even be called from Custom Universal Login (or Custom Password Reset for that matter). I think I also saw a post where env variables were passed in for the client_id and client_secret values (similar to how Custom Actions can have these values save in encrypted fashion with the script), but I wasn’t clear on how this was being passed into the Universal Login from the application. We are developing this to work with both an iOS and Android mobile app as well as a NextJS web application.
The post in question with the env variables was:
No “Back to app” button on Password-Reset-Success screen even though Application Login URI is filled out - Auth0 Community
In another post of mine @marybeth.hunter stated “You cannot call another action from the New Universal Login Page” which indicates to me that custom actions are not an option here - but I wanted to make sure:
Can a custom Universal Login get geoip.countryCode? - Auth0 Community
What would be the best approach to solving this kind of need in Custom Universal Login?