Invalid_signup error returns instead of user_exists from authentication API

I’m using Universal login feature.When a user try to signup with pre-existing mail address, invalid_signup error returns instead of user_exists from authentication API. because of this, correct error message is not shown in Universal login page(I expect to display like User already exists)

On the other hand, user_exists error is shown on dashboard logs at the same error.

I created fresh a new tenant and try it again, then I saw correct user_exists error in the same situation. Therefore, I think tenant setting or some code of rule and custom database script is wrong. But I don’t still find the root cause. Is there anyone who has any idea?

1 Like

Umm, weird behavior. I extracted the tenant setting which I ran into the problem and copied them to another tenant with auth0-deploy-cli. but the another one works as expected (I saw user_exists error)

Hi,
Can someone tell me what this setting is?
I’m having the same problem and can’t figure it out
Thanks!

Hello, we recently changed user_exits error to invalid_signup to improve security against a potential username enumeration attack.

The feature is “on” by default for new tenants so these would get a generic invalid_signup error. For existing tenants it’s an opt-in behaviour which can be enabled from tenant settings.

You can find the official notification here.

We highly recommend that you turn on this feature to close username enumeration threat.

2 Likes

OK, I understand. thank you for the reply.

Let us know if you have any other questions regarding that

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.