I’ve tried both on SaaS as well as our appliance:
Block a user
Try to log in with the correct password
Get a response telling the user he is blocked
Notice how the "last_login" field is update on the user profile
I understand you might somehow consider “blocked” flags as “authorization” logic (not authentication) but it’s integral to Auth0 so the “last_login” field should not be updated in my opinion if a blocked user tries to log in.
Terribly sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes our bandwidth is just not enough for all the questions that are coming in. Sorry for the inconvenience!
Hi! I am a Product Manager on the User Management team.
I’d love the opportunity to chat you on why and how you intentionally block users. I’m particularly interested in admin or your 3rd party system initiated blocks (separate from the auto blocks performed by Auth0’s Anomaly detection). We are considering some improvements that will enable you to better customize the blocked user workflow.
Let me know if you’re interested and we can set up a 30 min video chat:)
I ran into this issue recently. Employees who manage account provisioning were concerned that blocked accounts were still able to access the system. Took a while to determine that this was not the case. Certainly it’s unexpected that a failed login would be recorded as a login.
@konrad.sopala could you please let us know what is the issue for this behaviour ? I got closed without giving any answer and it it is opened again & it is like this for a long time.
We are also facing same issue when we look at last_login property of blocked user and from support point view, it is giving an assumption like this blocked property not working and user logged.
This Auth0’s behavior is very disappointing, our team recently went through the same confusion. I just recently submitted this ticket to their Support Center Auth0 Support Center.