Custom Action: user stays logged into Auth0 after api.access.deny

We’re workin on implementing a domain whitelist similar to this template:

The problem is that the user stays logged into auth0 and subsequent login attempts do not challenge the user for new credentials. They may want to try again with a different domain but they’re now stuck in a access denied loop that will never complete.

Is there a way to prevent the login so this condition doesn’t occur?

Hey there @mcantrell !

As api.access.deny does not end any existing session, you’ll also want to log users out in order to avoid the loop you’re experiencing. Please see the following post:

Hmmm, since the actions apply to all applications, I’m not sure how this will work for us. We have multiple apps that need this rule and they all have different URLs. I’d have to know which app they were authenticating to in order to know where to redirect them after logout.

Is there a method to determine which application the login event is for? I browsed around the event and didn’t see anything but I definitely could be missing something.

I may have a workaround from the client side of things. We’re using react for the client and there there is an option exposed to force re-authentication using the popup:

    async function login() {
        // await auth.loginWithRedirect({
        //     appState: {returnTo: window.location.pathname}
        // });
        let options: PopupLoginOptions = {
            authorizationParams: {
                prompt: 'login'    
            }
        }
        await auth.loginWithPopup(options);
        console.info('loginWithPopup result:', auth.isAuthenticated, auth.error);
    }

The popup is not our preferred login experience but I suppose we can make it work. I didn’t see any exposed options for doing the same thing using loginWithRedirect.

well it looks like loginWithPopup is also a dead end because we need to initiate auth from events like route changes and the browser popup manager will kick in.

The only two options I see are:

  1. Determine which app the login event is for so I can map a redirect properly after the logout redirect
  2. Find a way to pass the prompt=login param to the loginWithRedirect function. It doesn’t appear to be expose in the RedirectLoginOptions options in the javascript sdk.

There is! You can access the client_id of the application with event.client.client_id in action code.

I actually ended up using the original redirect URL found in the event:

api.redirect.sendUserTo(`https://${event.tenant.id}.us.auth0.com/v2/logout`, {
    query: { returnTo: event.transaction.redirect_uri }
});

I’m onto a different issue now because it’s denying the logout. The URL generated looks good:

https://redacted-tenant.us.auth0.com/v2/logout?returnTo=http%3A%2F%2Flocalhost%3A5173&state=**redacted**

The error log states:

The "returnTo" querystring parameter "http://localhost:5173" is not defined as a valid URL in "Allowed Logout URLs". To add a new URL, please do it here: https://manage.auth0.com/#/account/advanced

However, I’ve verified that the allowed logout URL is set to http://localhost:5173 in the Auth0 dashboard so I’m not sure why it’s giving this error.

Ahh, I needed to pass the client_id parameter so it knows which app to use for a logout whitelist. The following solution is working now:

api.redirect.sendUserTo(`https://${event.tenant.id}.us.auth0.com/v2/logout`, {
    query: {
        client_id: event.client.client_id,
        returnTo: `${event.transaction.redirect_uri}?auth_error_code=unapproved_social_domain` 
    }
});
2 Likes

That’s great @mcantrell glad that’s working for you and thanks for sharing with the community :slight_smile:

use api.session.revoke()

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.