Problem statement
My app requires that we differentiate between signup and login calls that go through the Universal Login screens. The main reason is the need to validate a click on the “accepting terms and policies” checkbox.
I am looking for a way to pass parameters from the Universal Login scripts to Auth0, through SSO calls, which will eventually reach Auth0 Rules/Actions where I can validate the request.
Solution
Firstly, let me preface that using the Universal Login Page to validate if the user clicked on the mustAcceptTerms is unreliable.
This is because, in scenarios where the user uses a Social Connection to log in (i.e Google), there will be no distinction between a user signing up and logging in. As a result, a user can authenticate through a Social Connection by either pressing the “Sign in with Google” or “Log in with Google” buttons with no difference behind the scenes.
Given that, the recommended solution is to use a Redirect Rule that points to a custom consent page that asks the user to accept the terms and conditions. Please see our GDPR: Track Consent with Custom UI documentation to learn more.
However, before your Redirect Rule triggers, you must check if the user object satisfies a custom user_metadata value, such as user_metadata.consentGiven: true. This way, you can skip or continue the redirection depending on whether the user has previously accepted the terms or conditions.