Configuration for preventing unverified authentication

blake.symonds · October 15, 2021, 11:18pm

Feature:

Application or tenant level setting to prevent users with unverified email addresses from authenticating.

Description:

Was surprised to find this was not a built-in feature already, given some of the other toggles provided.
Without a setting to prevent this globally, the only solution I was able to come up with was to use a Rule – which fires post-authentication – so is resulting in redirect ping-pong to kill the authentication and redirect somewhere that indicates to the user they need to verify their email first.
Ideally, this setting should prevent authentication/grants from being provided if unverified, so the application code isn’t left having to clean up the session.

Use-case:

It is common practice to use email as a login credential. The use case is simply blocking access to data for accounts that have not verified their email address.
The workaround feels like a bit much.

rueben.tiow · October 18, 2021, 3:22pm

Hi @blake.symonds,

Thanks for reaching out to the Auth0 Community!

I understand that you initially made this post as a Feedback Request asking for a method to prevent unverified users from authenticating.

I have just changed this category to General because there are existing configurations you can employ to accomplish this.

As you hinted, you can use Rules to Force Email Verification. However, regarding your concern about preventing this globally, you can specify a Rule to execute for specific applications.

Example snippet below:

function emailVerified(user, context, callback) {
  if (!user.email_verified && context.clientID === `YOUR_CLIENTID_HERE`) {
    return callback(new UnauthorizedError('Please verify your email before logging in.'));
  } else {
    return callback(null, user, context);
  }
}

After doing so, your users will be redirected to your Callback URL with an unauthorized error.

Please let me know how this works for you.

Thank you!

blake.symonds · October 18, 2021, 4:21pm

No, I understand how it works. It’s the why that is confusing.

Why sluff that off on your customers? You are the authentication service, why not include a setting to simply atomically enable/disable this per connection? This is really a security issue.

Yes I can workaround it with a Rule – but that is post-authentication, so again putting it on your customers to authenticate, revoke, redirect, etc.

When I asked these same questions to my account’s assigned Solution Architect, I was instructed to come here and submit a feature request. Which I did. So I guess you guys really don’t want to implement this one, eh?

How will it get votes/ranked in your implementation queue if you move it to general discussion.

rueben.tiow · October 18, 2021, 5:15pm

Hi @blake.symonds,

I understand your frustration that you want a Toggle to enable/disable unverified authentication.

That sounds like great Feedback and thank you for reverting it to that category.

I’d like to take this time to clarify some of your concerns. From inception, Rules have always been how Auth0 provides our customers extensibility, control, and customization. There is a large selection of Rule templates that can be used to build upon, such as preventing unverified authentication to specific applications.

I apologize if you thought we are not interested in implementing this feature, but I changed the category because this can be accomplished using Rules.

I understand now that you’d like a dedicated toggle.

Thank you for your feedback, and I believe this would be a great quality of life feature!

Have a great rest of your day.