Handling login via social network - two questions

kkrp1 · November 11, 2024, 8:01pm

In my action, I need to conditionalise some code based on whether the login attempt was via email/password OR social network.

Am I right in thinking that the event.user.identities.isSocial boolean property is the best fit here?

If someone logs in with social network but, via my action, I deny the login (via deny()), is the user still created in Auth0?

Thank you.

marybeth.hunter · November 12, 2024, 11:12pm

I would recommend using event.connection.strategy instead of event.user.identities as identities is an array, and in the event of a user with linked accounts, this may pose a problem. It will look something like this in your action:

if (event.connection.strategy === "google-oauth2" || "apple" || "github") {
  api.access.deny("Social login not allowed.");
}

Please see all of the available event.connection.strategy values: [ad , adfs , amazon , apple , dropbox , bitbucket , aol , auth0-oidc , auth0 , baidu , bitly , box , custom , daccount , dwolla , email , evernote-sandbox , evernote , exact , facebook , fitbit , flickr , github , google-apps , google-oauth2 , instagram , ip , line , linkedin , miicard , oauth1 , oauth2 , office365 , oidc , okta , paypal , paypal-sandbox , pingfederate , planningcenter , renren , salesforce-community , salesforce-sandbox , salesforce , samlp , sharepoint , shopify , sms , soundcloud , thecity-sandbox , thecity , thirtysevensignals , twitter , untappd , vkontakte , waad , weibo , windowslive , wordpress , yahoo , yammer , yandex ]

I did some testing with an action blocking google social connection logins and while I was denied access, a user was still created in Auth0.

Please let me know if you have any additional questions!

Best,

Mary Beth

kkrp1 · November 13, 2024, 6:18pm

Thanks for this, that’s really helpful. What’s the string to check for Microsoft logins - would that be windowslive or office365?

Re: users being created who are denied access, what’s the best approach here? Since, with social-enabled Auth0 applications, anyone with a social media account can login (and be denied only by the action), this means I could end up with all sorts of users being created just because of chancers or hackers trying to get in.

marybeth.hunter · November 13, 2024, 6:34pm

Hi @kkrp1,

To check for Microsoft social connection logins, please use windowslive.

I’d recommend creating an action as described above as it would block logins from those users with the affected connection.strategy. You could remove the users that get denied access but created in Auth0. Please see this doc on bulk deleting users: Bulk Update or Delete Users

Please let me know if you have any additional questions!

Best,

Mary Beth

system · November 27, 2024, 6:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtered Social Login Get Help google , facebook , custom-social-connec	6	5334	August 29, 2019
Is there a difference between login & signup for social? Get Help signup , social	14	21133	January 9, 2019
Disable Signup from Auth0 UI and enable social login Get Help auth0 , rules , login	5	8486	August 13, 2019
We are implementing custom login; if a user creates an account and then logins with a social account (and viceversa) how do we recognize its the same user? Get Help social-connections , linking	4	4050	March 2, 2018
How to change social connected users to email and password? Get Help lock , auth0 , social-connections , password , login	2	5399	December 27, 2018

Handling login via social network - two questions

Related topics