Domain Allowlist Does Not Reveal Allowed Domains to Anonymous Users

Overview

When using domain allow-lists in Auth0 apps, there is a risk that the register form might reveal whether a specific email domain is allowed or not. This could compromise user privacy and the security of the system and even create legal problems on client’s privacy contracts.

Cause

When using domain allow-lists in Auth0 apps, there is a risk that the register form might reveal whether a specific email domain is allowed or not. This could compromise user privacy and the security of the system and even create legal problems on client’s privacy contracts.

Solution

To address this issue, use a Pre-User Registration action in Auth0. This action, combined with a generic error message, can prevent outsiders from figuring out email domain permissions, enhancing overall security.

Implementation:

Implement this solution by using the following code in a Pre-User Registration action:

exports.onExecutePreUserRegistration = async (event, api) => {
    // Check if the domain is authorized
    // If not authorized, deny access with a vague error message

    api.access.deny('Unauthorized access attempt', "Invalid email or password");

};

The error presented to the unauthorized end user will be “Invalid email or password”, which will not give away any sensitive information. This can be changed to anything that sounds generic and does not give away anything.

If this solution is not enough and a more complex solution is needed, modify the register flow to be like this;

  1. The end user provides the email address in the desired form.
  2. Get that email address and check if it should be authorized to register on the application.
  3. If it gets through, verify the email address with a code to be sure it is the owner that requested it.
  4. After being verified, redirect the user to the register form that already has the Domain allow-list Action on the flow.
    This should add another layer of security to the register flow.