I’ve implemented a password reset post-challenge action that validates email domains before sending reset emails. The action works (logs show api.access.deny() is called and emails aren’t sent), but users still see the generic “Check Your Email” message instead of my custom error.
exports.onExecutePostChallenge = async (event, api) => {
const email = event.user?.email
// Validate email domain against whitelist
if (!isValidDomain(email)) {
return api.access.deny('unauthorized', 'Your email domain is not authorized.')
}
}
User sees “Check Your Email” even when deny is called. But Error message should be displayed.
s there a way to show custom error messages in password reset flows like we can with api.prompt.render() in login flows? Or is this prevented by user enumeration protection?
In order to display a custom error whenever an user is denied access, you will need to either to customize the specific screen under Universal Login → Branding → Edit text and translations to display the proper text for denial OR you will need to redirect the user to a custom error page using api.redirect.sendUserTo("https://my-app.exampleco.com/password_reset_denied");.
Please keep in mind that you cannot use both api.access.deny and api.redirect.sendUserTo since the first one in execution order will take priority.
api.access.deny is mainly used to log the specific message inside the Auth0 Logs and if the specific or to have the message displayed in the callback url(in the case of PostLogin Actions which deny access).
To clarify our current implementation: we’re using the Auth0 Universal Login forgot password flow, where all password reset processes occur within Auth0. We have configured two triggers for this flow:
password-reset-post-challenge - Triggered when a user initiates the password reset process (after entering their email)
post-change-password-trigger - Triggered after a user successfully updates their password
Our requirement is to validate whether the user’s email domain is whitelisted in our Auth0 organizations before allowing the password reset to proceed. If the domain is not whitelisted, we need to show a custom error message and prevent the reset email from being sent.
Based on your previous response, I understand that the Password Reset Post-Challenge trigger will always display the “Check Your Email” message due to anti-enumeration security measures, regardless of any custom logic we implement.
Given this limitation, I have two questions:
Is there a hook or event available where I can intercept the flow when the system determines a user doesn’t exist (or doesn’t meet our validation criteria), allowing me to execute custom validation logic and display appropriate error messages?
Can we create a custom form within Auth0 specifically for the forgot password flow that would allow us to validate the email domain before initiating the password reset process?
If neither of these options is available, we understand we’ll need to implement a custom password reset UI outside of Auth0’s Universal Login, as you suggested.
Is there a hook or event available where I can intercept the flow when the system determines a user doesn’t exist (or doesn’t meet our validation criteria), allowing me to execute custom validation logic and display appropriate error messages?
At this time, there are no hooks to intercept the Universal Login flow between specific screens. As you have mentioned, this would require specific triggers that would execute between the specific screens. Basically, the flow will not be able to be interrupted and regardless of their validation status, they will be sent a verification email. Only once the verification link is clicked can the validation take effect via the mentioned trigger and redirect the user to a custom error page.
Can we create a custom form within Auth0 specifically for the forgot password flow that would allow us to validate the email domain before initiating the password reset process?
No, any custom forms can only be rendered during a PostLogin Action trigger and they are not available on any other triggers unfortunately.
This, however, might be possible with ACUL in order to render custom prompts and HTML logic where you will be able to perform the checks before the user is sent the email. I cannot guarantee that this workaround will work but it is worth a try.
I would recommend submitting a product feedback suggesting the implementation of other triggers which would take effect during specific screens or being able to render forms outside of the PostLogin Action trigger.
In conclusion, this would indeed require a custom password reset UI.