We’re workin on implementing a domain whitelist similar to this template:
The problem is that the user stays logged into auth0 and subsequent login attempts do not challenge the user for new credentials. They may want to try again with a different domain but they’re now stuck in a access denied loop that will never complete.
Is there a way to prevent the login so this condition doesn’t occur?
As api.access.deny does not end any existing session, you’ll also want to log users out in order to avoid the loop you’re experiencing. Please see the following post:
Hmmm, since the actions apply to all applications, I’m not sure how this will work for us. We have multiple apps that need this rule and they all have different URLs. I’d have to know which app they were authenticating to in order to know where to redirect them after logout.
Is there a method to determine which application the login event is for? I browsed around the event and didn’t see anything but I definitely could be missing something.
I may have a workaround from the client side of things. We’re using react for the client and there there is an option exposed to force re-authentication using the popup:
The popup is not our preferred login experience but I suppose we can make it work. I didn’t see any exposed options for doing the same thing using loginWithRedirect.
well it looks like loginWithPopup is also a dead end because we need to initiate auth from events like route changes and the browser popup manager will kick in.
The only two options I see are:
Determine which app the login event is for so I can map a redirect properly after the logout redirect
Find a way to pass the prompt=login param to the loginWithRedirect function. It doesn’t appear to be expose in the RedirectLoginOptions options in the javascript sdk.
The "returnTo" querystring parameter "http://localhost:5173" is not defined as a valid URL in "Allowed Logout URLs". To add a new URL, please do it here: https://manage.auth0.com/#/account/advanced
However, I’ve verified that the allowed logout URL is set to http://localhost:5173 in the Auth0 dashboard so I’m not sure why it’s giving this error.