Handling login via social network - two questions

  1. In my action, I need to conditionalise some code based on whether the login attempt was via email/password OR social network.

Am I right in thinking that the event.user.identities.isSocial boolean property is the best fit here?

  1. If someone logs in with social network but, via my action, I deny the login (via deny()), is the user still created in Auth0?

Thank you.

Hi @kkrp1,

  1. I would recommend using event.connection.strategy instead of event.user.identities as identities is an array, and in the event of a user with linked accounts, this may pose a problem. It will look something like this in your action:
if (event.connection.strategy === "google-oauth2" || "apple" || "github") {
  api.access.deny("Social login not allowed.");
}

Please see all of the available event.connection.strategy values: [ad , adfs , amazon , apple , dropbox , bitbucket , aol , auth0-oidc , auth0 , baidu , bitly , box , custom , daccount , dwolla , email , evernote-sandbox , evernote , exact , facebook , fitbit , flickr , github , google-apps , google-oauth2 , instagram , ip , line , linkedin , miicard , oauth1 , oauth2 , office365 , oidc , okta , paypal , paypal-sandbox , pingfederate , planningcenter , renren , salesforce-community , salesforce-sandbox , salesforce , samlp , sharepoint , shopify , sms , soundcloud , thecity-sandbox , thecity , thirtysevensignals , twitter , untappd , vkontakte , waad , weibo , windowslive , wordpress , yahoo , yammer , yandex ]

  1. I did some testing with an action blocking google social connection logins and while I was denied access, a user was still created in Auth0.

Please let me know if you have any additional questions!

Best,

Mary Beth

1 Like

Thanks for this, that’s really helpful. What’s the string to check for Microsoft logins - would that be windowslive or office365?

Re: users being created who are denied access, what’s the best approach here? Since, with social-enabled Auth0 applications, anyone with a social media account can login (and be denied only by the action), this means I could end up with all sorts of users being created just because of chancers or hackers trying to get in.

1 Like

Hi @kkrp1,

To check for Microsoft social connection logins, please use windowslive.

I’d recommend creating an action as described above as it would block logins from those users with the affected connection.strategy. You could remove the users that get denied access but created in Auth0. Please see this doc on bulk deleting users: Bulk Update or Delete Users

Please let me know if you have any additional questions!

Best,

Mary Beth

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.