How to allow specific emails to login with auth0?

Hey :wave: , I just created a .NET API and followed the getting started guide. What I would like to add is allow specific people from my org to login with an specific email? Is that possible?

I have found this thread but the solution that gives the answer doesn’t show the email domain whitelist rule anymore: How can I only allow specific people to sign up

Cheers.

Hi there @maury welcome to the community!

This rule exists as a template if you navigate to Auth Pipeline → Rules → Create - You’ll see it under Access Control specifically. It looks like this:

function emailDomainWhitelist(user, context, callback) {
  // Access should only be granted to verified users.
  if (!user.email || !user.email_verified) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  const whitelist = ['example.com', 'example.org']; //authorized domains
  const userHasAccess = whitelist.some(function (domain) {
    const emailSplit = user.email.split('@');
    return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
  });

  if (!userHasAccess) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  return callback(null, user, context);
}

Is that what you are looking for? Let us know!

Thank you @tyf !

What I’m trying to do is protect my API and don’t let anyone to request it, just certain people. Also, on the frontend side I would like to just use only email option to log in. Is that possible?

If so, what do you recommend me to achieve this?

Once again, thanks for taking your time to reply :smiley:

1 Like

No problem, happy to help where I can!

I’m not clear on whether you want anyone to be able to login, but then only a subset of users access an API, or only allow a subset of users to login/access the API. Typically, an application will use some sort of permissions for a subset of users to be able to access an API. Please see the following doc for a general outline of what this may look like:

When you say only email to login, are you referring to a passwordless solution or something else?

The more context you can provide about your use case the better!

First of all, Merry Christmas @tyf :christmas_tree::grinning:.

I’m not clear on whether you want anyone to be able to login, but then only a subset of users access an API, or only allow a subset of users to login/access the API. Typically, an application will use some sort of permissions for a subset of users to be able to access an API. Please see the following doc for a general outline of what this may look like:

Yeah, what I would like to do is only allow a subset of users to login/access the API. I’m creating a table with the specifics emails (i don’t know if its necessary at all, but I think so).

When you say only email to login, are you referring to a passwordless solution or something else?

I didn’t even know that exists!

The more context you can provide about your use case the better!

My bad, sry! :persevere:. I have an API in .NET and what I would like to do is protect the endpoints so that way specific people can fetch it. In the other hand (here its where it gets cloudly to me) I would like my front-app (here comes auth0, I think?) to have some auth(login option) when you enter it and the only access to pass through it is with a specific email (what I don’t really know is if I need to send some JWT through my back or not)

Sry if that doesn’t make sense.