Thanks for the quick reply @dan.woda. Much appreciated!
The problem with doing this from my application is that it would put the decision making in my application. Whereas it is more desirable to use the Universal Login page - and related Auth0 connections - as the source of auth decision making (as much as possible, of course).
I have taken a look at some other docs and forum posts. How about this solution…
-
Have a Auth0 Database connection, elect to “Use my own database” under the Custom Database settings, then add a Login script with something like the following pseudocode:
if USER_BELONGS_TO_SOME_LEGACY_DOMAIN { const deniedProfile = { user_id: some_generated_user_id // note: user_id is mandatory, even here email: email, reject_login_attempt: true // NB: This can be checked in a rule later }; callback(null, deniedProfile); } else { // Attempt to authenicate the user and build a valid profile and then... callback(null, profile); }
And then in an Auth0 rule do something like…
if (user.reject_login_attempt) {
context.redirect = {
url: "https://legacy_auth_server/old_login_page"
};
return callback(null, null, context); // It may make sense to pass user as the 2nd arg here instead of null
} else {
return callback(null, user, context);
}
Resources:
- The redirect idea in the context was noted here UnauthorizedError not returning error
- Here are the related docs on redirecting from within a rule https://auth0.com/docs/rules/redirect-users?_ga=2.13958007.1716788289.1610359780-530603537.1604326164
@dan.woda Does that seem reasonable? Are there some pitfalls with this approach? I notice that the user still appears in the list of users in Auth0 - is it possible to prevent this?
Kind regards,
Declan