Deny users with certain roles at login

Hi,
I’d like to throw an exception like “wrong username or password” when some users with certain roles trying to authenticate to specific applications. Creating a new tenant does not fit our scenario because our applications are connected to one database. I wrote an action but I can’t show error message on login page using actions. Can you suggest any way to resolve?

Would appreciate any help.

Hello @d3v welcome to the community!

What does your action look like? You should be able to accomplish this using the api.access.deny method on the post-login API object. It’s up to your application to read the query params and handle what to do next.

Hope this helps!

exports.onExecutePostLogin = async (event, api) => {
  if(!event.authorization.roles.includes(event.client.metadata.required_roles))
  {
    api.access.deny();
  }
};

I’ve added a metadata called “required_roles” (that contains the allowed roles) to all my applications. And the action checks that the user has one of these required roles. But I think api.access.deny() not exactly what I want. Can I redirect the user to login page and show error messages by the query parameter using api.access.deny()

Awesome, thanks for sharing!

There’s no OOTB support for redirecting a user to Universal Login with the error message - As it stands your application will need to handle what to do next with the error params/user returned to the callback. What I have seen in this scenario is a user being presented with some sort of error page (using the error params) and an option to click to bring up universal login once more with (loginWithRedirect({prompt: ‘login’})) for example.