Email Domain Whitelist with Google Login

I’m using the code here to whitelist emails at my company’s domain. It kind of works. If a user attempts to log in via google with an invalid domain, it kicks them back to the login screen. No error gets displayed though. In fact, the status code is even 200 and the user gets created in my application’s Users.

My expectation would be that the person trying to login gets a 401 and an error screen.

Is something missing from the documentation? Does another rule need to be created in tandem?

Hey there @daniel.breen!

It’s kinda strange. You should be getting an “Uuhh Ohh something went wrong screen” without any redirect to login page and also getting 200 response makes me think about it. Can you share the snippet of your rule here?

Thanks a lot will be easier for us to debug the situation!

Howdy @konrad.sopala.

Here’'s the code:

function (user, context, callback) {

  // Access should only be granted to verified users.
  if (! || !user.email_verified) {
    return callback(null, user, context);

  const whitelist = ['', '']; //authorized domains
  const userHasAccess = whitelist.some(
      function (domain) {
        const emailSplit ='@');
        return emailSplit[emailSplit.length - 1].toLowerCase() === domain;

  if (!userHasAccess) {
    return callback(new UnauthorizedError('Access denied.'));

  return callback(null, user, context);

This is part of an Angular 6 app, if that helps.

Then it’s strange! Let me debug and discuss it internally so I can suggest some fix to that!

Thanks again @konrad.sopala

If it helps at all, I went ahead and applied the same rule to my staging environment:

You can repro there:

  1. Click Log in
  2. Click Log in with Google
  3. Select any google account (it’s restricted to and

Thanks a lot for providing the steps.

Reproducing the steps indeed I have the scenario you described - I got redirected to the login screen.

Daniel can you let me know one more thing, are you using our Angular quickstart code for that or have you made any medium/heavy changes to it? Wondering if that’s not coming from the app code side.

Hey there @daniel.breen!

Have you had a chance to see my last message? If the issue is still there please do DM me!

Hey. Just got a chance to look now. I did use the quickstart when I set this up. It looks like the quickstart boilerplate has changed since then though (It was about a year ago).

I’m hiding the data I pass into auth0.WebAuth in my sample below, but that part is all just like the quickstart except that I set scope: openid profile instead of scope: openid. I can’t remember why I did that at the time. I believe I added profile to solve a problem I was having.

import { Injectable } from '@angular/core';
import { Router } from '@angular/router';

import * as auth0 from 'auth0-js';
import { environment } from 'environments/environment';

export class AuthService {

  auth0 = new auth0.WebAuth(
    // Top secret ;)

  constructor(public router: Router) {

  public login(): void {

  public handleAuthentication(): void {
    this.auth0.parseHash((err, authResult) => {
      if (authResult && authResult.accessToken && authResult.idToken) {
        window.location.hash = '';
      } else if (err) {

  private setSession(authResult): void {
    // Set the time that the Access Token will expire at
    const expiresAt = JSON.stringify((authResult.expiresIn * 1000) + new Date().getTime());
    localStorage.setItem('access_token', authResult.accessToken);
    localStorage.setItem('id_token', authResult.idToken);
    localStorage.setItem('expires_at', expiresAt);

  public logout(): void {
    // Remove tokens and expiry time from localStorage
    // Go back to the home route

  public isAuthenticated(): boolean {
    // Check whether the current time is past the
    // Access Token's expiry time
    const expiresAt = JSON.parse(localStorage.getItem('expires_at'));
    return new Date().getTime() < expiresAt;


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.