Handling login via social network - two questions

kkrp1 · November 11, 2024, 8:01pm

In my action, I need to conditionalise some code based on whether the login attempt was via email/password OR social network.

Am I right in thinking that the event.user.identities.isSocial boolean property is the best fit here?

If someone logs in with social network but, via my action, I deny the login (via deny()), is the user still created in Auth0?

Thank you.

marybeth.hunter · November 12, 2024, 11:12pm

I would recommend using event.connection.strategy instead of event.user.identities as identities is an array, and in the event of a user with linked accounts, this may pose a problem. It will look something like this in your action:

if (event.connection.strategy === "google-oauth2" || "apple" || "github") {
  api.access.deny("Social login not allowed.");
}

Please see all of the available event.connection.strategy values: [ad , adfs , amazon , apple , dropbox , bitbucket , aol , auth0-oidc , auth0 , baidu , bitly , box , custom , daccount , dwolla , email , evernote-sandbox , evernote , exact , facebook , fitbit , flickr , github , google-apps , google-oauth2 , instagram , ip , line , linkedin , miicard , oauth1 , oauth2 , office365 , oidc , okta , paypal , paypal-sandbox , pingfederate , planningcenter , renren , salesforce-community , salesforce-sandbox , salesforce , samlp , sharepoint , shopify , sms , soundcloud , thecity-sandbox , thecity , thirtysevensignals , twitter , untappd , vkontakte , waad , weibo , windowslive , wordpress , yahoo , yammer , yandex ]

I did some testing with an action blocking google social connection logins and while I was denied access, a user was still created in Auth0.

Please let me know if you have any additional questions!

Best,

Mary Beth

kkrp1 · November 13, 2024, 6:18pm

Thanks for this, that’s really helpful. What’s the string to check for Microsoft logins - would that be windowslive or office365?

Re: users being created who are denied access, what’s the best approach here? Since, with social-enabled Auth0 applications, anyone with a social media account can login (and be denied only by the action), this means I could end up with all sorts of users being created just because of chancers or hackers trying to get in.

marybeth.hunter · November 13, 2024, 6:34pm

Hi @kkrp1,

To check for Microsoft social connection logins, please use windowslive.

I’d recommend creating an action as described above as it would block logins from those users with the affected connection.strategy. You could remove the users that get denied access but created in Auth0. Please see this doc on bulk deleting users: Bulk Update or Delete Users

Please let me know if you have any additional questions!

Best,

Mary Beth

Topic		Replies	Views
How To Prevent Users from Using Social Connections Knowledge Articles social-connections , enterprise-connection , block-login	1	60	July 15, 2024
Restrict certain emails to only Social Login Help login	4	2615	September 29, 2022
Validate and Block Social Login If User Email Address already exists and not verified Help extensions , auth0-authorization	2	2951	December 16, 2022
Whitelist signup/login emails + social Help user-management , user-invitation	3	1019	August 7, 2023
Block social signups for certain applications with Actions Knowledge Articles signup , rules , social , deprecation , actions	1	1230	May 30, 2023

Handling login via social network - two questions

Related Topics