Thanks @dan.woda.
You have part-answered my implied question which is, ‘Does this mean that the user is effectively logged in’?
From your reply, my understanding is now that the user is effectively logged in.
When I tested the approach, I did not see any “successful login” in the Auth0 logs so that suggested that the user wasn’t successfully logged in. I think that was the case - even if I passed user as a second argument to callback(null, null, context) - though I would need to double-check that. The fact that they appeared in the users list made me think that this is indeed effectively a login - and you have now confirmed that.
As regards where I saw this recommended, I wouldn’t go as far as to say that it was recommended for a legacy login page use case - I just saw ’ keep a white-list of users and deny access based on email’ at Auth0 Rules and decided to investigate what ‘deny’ exactly meant. Now, I know the answer.
Regarding the technique, I saw it here - Redirecting on login failure - #6 by konrad.sopala - where the forum posted initially stated:
I want to redirect the user to another url if the login attempt is failed.
and
In case of login failure, it shows “Wrong email or password” in the Auth0 login dialogue itself. Instead of showing this message, I want to redirect the user to our custom page if login fails
(The redirect URL desired by the forum poster is not an alternative legacy login page of course.)
Ideally, from my use case’s perspective, the best solution would be if there is another type of connection in Auth0 - and using this connection type (let’s call it a Simple Redirect Connection) you could redirect based on a JS script or configuration. That would allow the user to be redirected to a legacy login page if they fitted certain criteria - similar to the “login” script in the custom database connection (but it would get rid of the password field as soon as the criteria were met). I guess nothing like this exists?