Invalid_signup error returns instead of user_exists from authentication API

horike37 · August 14, 2019, 10:40am

I’m using Universal login feature.When a user try to signup with pre-existing mail address, invalid_signup error returns instead of user_exists from authentication API. because of this, correct error message is not shown in Universal login page(I expect to display like User already exists)

On the other hand, user_exists error is shown on dashboard logs at the same error.

I created fresh a new tenant and try it again, then I saw correct user_exists error in the same situation. Therefore, I think tenant setting or some code of rule and custom database script is wrong. But I don’t still find the root cause. Is there anyone who has any idea?

horike37 · August 15, 2019, 8:00am

Umm, weird behavior. I extracted the tenant setting which I ran into the problem and copied them to another tenant with auth0-deploy-cli. but the another one works as expected (I saw user_exists error)

duarte.garin1 · August 20, 2019, 7:07am

Hi,
Can someone tell me what this setting is?
I’m having the same problem and can’t figure it out
Thanks!

zulfiqar · August 20, 2019, 8:07am

Hello, we recently changed user_exits error to invalid_signup to improve security against a potential username enumeration attack.

The feature is “on” by default for new tenants so these would get a generic invalid_signup error. For existing tenants it’s an opt-in behaviour which can be enabled from tenant settings.

You can find the official notification here.

We highly recommend that you turn on this feature to close username enumeration threat.

horike37 · August 20, 2019, 9:50am

OK, I understand. thank you for the reply.

konrad.sopala · August 20, 2019, 10:20am

Let us know if you have any other questions regarding that

system · September 4, 2019, 10:20am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.