Hi,
The way OIDC works is by redirecting users to a page where they are authenticated, and in case there is an unexpected error in the authentication process, forward it to the callback URL so the application can handle it.
In the Auth0 server, rules are run after the user is authenticated, so it’s not possible for us to display errors in the login dialog itself (e.g. you could enter username/password, get prompted MFA, and then get an error from a rule), so those errors are sent to the application.
That said, there are some specific scenarios like email-validation that Auth0 could handle better. Instead of creating a rule for it, we could have a ‘required validated emails’ toggle that will prevent users with unvalidated emails to log-in, show a specific screen as part of the authentication flow telling you that the email is not validated and giving you the option of sending the email again. This is something we are discussing but haven’t prioritized yet.
We could also have a generic ‘error handling’ step in the flow that could display the message and send you back to the login page, but we’d prefer to better understand customer scenarios and see if we can provide a better experience. For example, if we did this for email verification, the end-user will not be able to get the email sent again.
If you have other concrete scenarios where you see this need we’d love to hear about them.
Thanks
Andres