We are testing whether we can implement single sign-on while restricting access to services based on each organization.
As an implementation method, we use the Actions feature to restrict access to services for each organization.
Therefore, could you tell me how to redirect to the error page specified in Tenant Settings when access is denied in Actions?
Currently, we have specified a custom error page in Tenant Settings, but when access is denied in Actions, the service provider’s error page is displayed instead.
Unfortunately, denying access using Actions will only show a warning on the password input field, it won’t send the user to another page. But you should have some suggestions in the post above.
After reviewing the article you shared, the following statement caught my attention:
Or the second option is to use the Post-Login Action to deny the user access and then redirect them to your custom-hosted page. This is the approach I would recommend for your use case.
I am already using a Post-Login Flow action to deny access.
However, while my action successfully redirects the user, it does not get recorded in the Monitoring Log.
exports.onExecutePostLogin = async (event, api) => {
if (event.organization && event.organization.id == "xxxxxxx"){
let enable = false;
if (event.organization.metadata){
let allowedapps = event.organization.metadata;
enable = Object.values(allowedapps).includes(event.client.client_id);
}
if (!enable) {
api.redirect.sendUserTo("https://example.com");
}
}
};
What I want to achieve is not only to deny access and perform the redirection but also to ensure that this event is logged in the Monitoring Log.
api.redirect suspends the code flow until the website redirects the user back to the authentication. Otherwise the code flow will not be resumed and the logging will never be triggered.
You can learn more about it here:
The best way to do it would be to use api.access.deny to send the user to the callback URL and in there you’ll need to process the error and redirect the user to the desired error page.
Hi team,
I am also trying to using the same scenario.
In my post login action, if any error happens, i am trying to catch that error and redirecting to a custom error page. however i am always getting “External Interaction Required.” message and it is not properly redirecting to the custom error page.
catch (error) {
redirecting = true;
logger.error(post-login-mfa-handler::error::Making the customer to logout and redirect to the proper error ${error}, {error, correlationId})
logger.error(post-login-mfa-handler::error::event.client.name ${event.client.name},{correlationId})
const redirectPlaform = event.client.name === “Website” ? event.secrets.WEBSITE_LOGOUT_CALLBACK : event.secrets.APPS_LOGOUT_CALLBACK
const redirectUrl = https://${event.secrets.AUTH0_DOMAIN}/v2/logout?returnTo=${encodeURIComponent(redirectPlaform)};
api.redirect.sendUserTo(redirectUrl);
return;
} finally {
logger.error(post-login-mfa-handler::error::Making the customer to logout and redirect:: Finally )
if (!redirecting) {
flushSplunkLogs();
logger.info(“Logs flushed successfully”);
}
}
As mentioned in this Knowledge Article, when an action is trying to redirect while in the middle of a silent authentication, this error will be thrown.
As stated above, the solution is to deny access, send the user to the callback URL and handle the error from there.
If you have any other questions feel free to ask us.
Just to be clear from my side, here we are doing this.
from post login action (there are two section - MFA and consent form), when we get any error and catch them,
we should not use api.redirect.sendUserTo(redirectUrl); but to use api.access.deny, right? please confirm.
and then sends back to Applications allowed callback url
if needed, Frontend can handle the error and show appropriate error message.
is that the standard approach in this scenarios?
Even though we have a custom error page - under - Tenant Settings → Error Pages. so when we will use that? we can not send or redirect to this custom error page?
@vlad.murarasu Can you guys explain whole process step by step please. This is something what is not clear from documentation and I see that more and more guys have the same issue.
When you said “send the user to the callback URL and handle the error from there”, how we can send them after api.access.deny and how we can send our error message on callback route. Can you please explain this in details? Thanks!!!