Hi @vacilando, welcome to the community!
There’s no way of stopping signup of social logins, because conceptually the signup does not happen at Auth0, but at the external identity provider. Under the same premise, an administrator can’t create a social login user at Auth0 directly.
What you might be after is, instead, some kind of authorization control. I.e. when you say “Authenticate with Google” the user will be able to do so (they already have their Google account!), but then you can say “O.K. John Doe, you are not allowed into this application”.
This authorization will involve checking some kind of identifier (most likely the email address) of the user that just logged in against a list of “approved users” (this can be in any database). This authorization policy can be in two different places:
-
At an Auth0 rule, where you can flat out deny authorization based on this condition. The application that requested the authentication will instead receive an error (that will need to present to the user somehow, explaining the situation).
function(user, context, callback) { // this function will need to be defined based on // based on your requirements. Can go to an external // web service or database. checkIfUserIsAllowed(user, function(err, isAllowed) { if(isAllowed) { // business as usual callback(null, user, context); } else { callback(new UnauthorizedError("The user is not allowed to log in."); } }); } -
Directly at the application, after receiving the authentication result from Auth0 (in this case, from the Auth0 perspective, it will look as a regular login).