Domain restriction in combo with Social Connection

Please fill out the following to the best of your ability. Doing so will help out the troubleshooting process

  • What are you trying to achieve? What is the use case or idea behind it?

In my application, I have sign-in with Google since our company’s email provider is google. Though, I want to restrict the app to the domains ending with I have created a pre-registration hook and/or rule to specify allowed domains. Though, I am still able to log-in with Google using my personal email. Is there a way to implement such a logic?

  • If this is caused by an SDK please mention the SDK along with the specific version number.

  • Is this easily reproducible? If not, please explain.

Yes, as explained in the question

  • If this is related to Lock / any SDK please share the SDK as well as lock initialization code or any code that is relevant.

  • If this is an issue with an API please mention the endpoint you are trying to hit. Relevant code, and or a network trace, is really helpful when debugging such issues.

  • Environment-specific information (Which OS, Language Runtime + Version, Browser etc).

:wave: @mohamad.bitar

You say you created a pre-registration hook and/or rule to specify allowed domains, but which one did you try implementing?

You can implement this as a rule. We can use the email domain whitelist to accomplish this.

Code example here:

function (user, context, callback) {
    var whitelist = ['']; // authorized domains
    var userHasAccess = whitelist.some(
      function (domain) {
        var emailSplit ='@');
        return emailSplit[emailSplit.length - 1].toLowerCase() === domain;

    if (!userHasAccess) {
      return callback(new UnauthorizedError('Access denied.'));

    return callback(null, user, context);

Please let me know if this solves your problem! If not, can you share the code where you specify allowed domains? More than happy to work through it with you.

Thank you for replying, I have this rule already but with no effect. I also tried a pre-registration hook as the following:

@param {object} user - The user being created
@param {string} user.tenant - Auth0 tenant name
@param {string} user.username - user name
@param {string} user.password - user's password
@param {string} - email
@param {boolean} user.emailVerified - is e-mail verified?
@param {string} user.phoneNumber - phone number
@param {boolean} user.phoneNumberVerified - is phone number verified?
@param {object} context - Auth0 connection and other context info
@param {string} context.requestLanguage - language of the client agent
@param {object} context.connection - information about the Auth0 connection
@param {object} - connection id
@param {object} - connection name
@param {object} context.connection.tenant - connection tenant
@param {object} context.webtask - webtask context
@param {function} cb - function (error, response)
module.exports = function (user, context, cb) {
  var response = {};
  var domain ='';
  var okDomain = false;
  if ( > -1) {

  if ((user.emailVerified) || (!user.emailVerified && okDomain)) {
   response.user = user;
   return cb(null, response);  
  } else {
    const error = new Error("E-Mail-Address did not match requirements.");
    error.statusCode = 400;
    return cb(error);

Still, after choosing to login using google, it bypasses those rules/hooks and registers the new user ( still goes through). Am I doing something wrong or missing something?

@mohamad.bitar were you able to solve your issue for allowed domains? Please let me know if you still require assistance.