We have a weird scenario whereby it seems (there are other possible explanations) like onExecutePostLogin is being called multiple times.
We use this hook to call an endpoint in our app which sends a (home-brewed) 2FA SMS to the user. But for SOME (not all, which is worse) users they’re being sent lots and lots of 2FA messages.
There is no loop in my endpoint. So our current suspicion is that they’re stuck in a loop whereby onExecutePostLogin is somehow being called repeatedly as part of the same login flow.
Is this feasible as an explanation, or am I way off?
Apologies for the late reply. The onExecutePostLogin hook itself is almost certainly not running multiple times for a single login event. The onExecutePostLogin trigger is designed to run exactly once after a user successfully authenticates and before they are redirected back to your application.
Instead, likely, your application is accidentally triggering multiple, distinct login events in a rapid loop, and the hook is correctly executing once for each of those events.
The most common cause for the behavior you’re seeing is a redirect loop
If you have any further questions, please don’t hesitate to reach out.
Thank you. You were right. But this hook does seem to be called when Auth0 silently tries to fetch a new token, which is what was confusing me. I had assumed it was called only on a literal, manual login. These two things can be differentiated, it seems, via the evt.request.query?.prompt property, which is either “login” or “none”.