The most correct and complete approach would be:
exports.onExecutePostLogin = async (event, api) => {
return api.access.deny('Deny example.');
};
Here’s why:
- You should always
returntheapi.access.deny()call. This ensures:
- The action stops executing immediately
- No token is issued
- The denial is properly propagated
- Trying to use
api.redirect.sendUserTo()afterapi.access.deny()won’t work because:
- The deny action terminates the authentication flow
- Any code after the deny won’t execute
- The redirect would never be reached
- If you need custom error handling, you should handle this on the client side. Here’s how:
// In your NextJS app or whatever framwork you using. Customize accordiingly
const { handleRedirectCallback } = useAuth0();
try {
await handleRedirectCallback();
} catch (error) {
//Customize based on what you see in response also check for error_description in query param when auth0 redirect
if (error.error === 'access_denied' || error.error === 'unauthorized') {
// Redirect to your custom error page
router.push('/access-denied');
}
}
If you really need custom redirection on denial, you could use Auth0’s Error Pages customization:
- Go to Auth0 Dashboard → Settings → Tenant Settings → General → Error Pages
- Choose “Custom” error page
- Set your URL (e.g.,
https://my-app.exampleco.com/access-denied)
This would handle all authentication errors, including denials from your Actions, in a more standard way.
The approach of redirecting to logout isn’t recommended because:
- It’s unnecessary - no session was created to logout from