In my SPA I allow sign-in with both email/password and social.
I have implemented the possibility for a user to reset his/her password. I want to hide this functionality for the users that use social login. How can I do that?
One option could be to check if the user id/sub contains the string “auth0”. However, I am curious to know if there is a better alternative.
I believe you have it right and that the
user_id in the token’s
sub claim may be the best option for this use case. All user_ids will have a prefix with the connection strategy that the user logged in with, and for Auth0 database connection the prefix will be
auth0|. Here are some example user profiles from other connections showing some other possible prefixes: Sample User Profiles
I would prefer to move this responsibility to an action, as it better encapsulates internal authentication details from the client applications. It also avoids having to duplicate this logic in multiple clients.
The action can check the connection through which the user authenticated. Based on that info, it could add a custom claim indicating how the user authenticated (the values depend on what you want to keep track of) in either the ID token or the access token (or both). The client/API can then use this custom claim to enable/disable features.
Note that if you start relying on this information for authorization purposes, you must enforce these checks on the backend, not just the frontend.
Nice solution! If the logic for determining the user’s auth provider changes, you will have to update only the action and leave your application code untouched.