I’m trying to incorporate authentication for my users to a generic OAuth2 provider (really a tenant-specific instance of Salesforce auth) and I’m running into a wrinkle I can’t figure out. We’re using the classic experience still.
- Provider has a marketplace and handles billing, access control, etc.
- We have our own existing login and are looking to incorporate this oauth2 in parallel
- User visits our site, clicks login, and classic experience loads the hosted login.
- When a provider user hits the "Login with… " button, everything works if access is enabled (user set up billing, etc)
- When a provider user tries to login without marketplace access, provider returns the below error as a 200 response in the callback.
{
"error": "access_denied",
"error_description": "user is not admin approved to access this app"
}
What happens in the access_denied
scenario is they authenticate successfully with the generic oauth2 provider, the provider callback hits my auth0 callback, the classic experience closes - and the person is stuck looking at our landing page with no indication of why login failed. So they try again and get the same result.
When I expect to happen is that I can display something to the user for feedback. However, I don’t see where/how I can catch the access_denied
error in the callback -> callback -> close classic experience
handling. Hooks, rules, actions, etc. aren’t useful because they happen downstream of all this process.
I’m using a stock fetchUserProfileScript that is working fine, but even that only gets called if the generic oauth2 provider call follows the happy path.
How do you handle this??