Trying to figure out how to prevent a redirect loop when the user’s login is successful but the IP address is not allowed access to the application. We have the IP address validation done in our flow but instead of moving back to the login screen it is stuck in a loop.
Hi @nana.zimmer,
Welcome to the Auth0 Community!
After my investigation, I found that your Redirect Action did not resume authentication, which is why you have observed a login loop.
To resume the authentication flow, you will have to send the user to the /continue endpoint and make sure that your action script calls the onContinuePostLogin function for the redirect to work properly.
I recommend reading our Redirect with Actions documentation for a detailed explanation.
I hope this helps!
Please let me know if you have any questions about this.
Thanks,
Rueben
Hi @rueben.tiow
So I’ve been trying to move away from redirecting the user but actually denying the user access instead of allowing the login process to finish and redirect happen.
Any suggestion as to how to prevent a redirect when a user’s IP address isn’t allowed?
thanks
this is the screen i’m trying to show
when we try the settings for the page through the auth0 dashboard we get this
Code
const currentIp = event.request.ip
//get the whitelisted IPs from the list defined above
var allowedIpForUserFinOrg = allowedIpList[event.user.app_metadata.org_id]
//if the whitelist isn't null and the incoming ip is not in the whitelist deny them.
if(allowedIpForUserFinOrg != null && !allowedIpForUserFinOrg.find(e => e === currentIp)) {
api.access.deny("Access is only allowed from inside your work network");
}
Hi @nana.zimmer,
Thank you for your response.
After reviewing your code snippet, everything looks correct. I will make one comment that you initialized the constant const currentIp = event.request.ip but it was never used.
Now, you should be able to deny the user access by calling api.access.deny() function. The api.access.deny() function will force the login flow to stop immediately and no further Actions will be executed. Reference: Actions Triggers: post-login - API Object
Does that help?
Thanks,
Rueben
Even by setting the api.access.deny() we are still getting stuck in a redirect loop of doom. it doesn’t stop the post-login flow. What would be the appropriate route here
exports.onExecutePostLogin = async (event, api) => {
// define whitelist per org, if one isn't defined they are all good
// array is defined as { orgID: [allowedIP1, allowedIP2.... allowedIPX]}
const allowedIpList = {
2: ["xx.xxx.xx.x"],
//add more here
}
const currentIp = event.request.ip
//get the whitelisted IPs from the list defined above
var allowedIpForUserFinOrg = allowedIpList[event.user.app_metadata.org_id]
//if the whitelist isn't null and the incoming ip is not in the whitelist deny them.
if(allowedIpForUserFinOrg != null && allowedIpForUserFinOrg.includes(currentIp)) {
api.access.deny("Access is only allowed from inside your work network");
}
};
Hi @nana.zimmer,
Thank you for your reply.
I’m sorry to hear that you’re stuck in a redirect loop of doom.
After reviewing your latest code snippet, I do not see any code making a redirect call. I have checked your Action script as well and can confirm that nothing is contributing to a redirect.
Are you able to confirm you are in a redirect loop? If so, could you please capture these events in a HAR file and DM it to me to investigate further?
Besides that, I noticed that your if-condition in your code is not denying IP addresses that are not in the whitelist. Instead, I believe you mean to do this:
if(allowedIpForUserFinOrg != null && !allowedIpForUserFinOrg.includes(currentIp)) {
api.access.deny("Access is only allowed from inside your work network");
}
I hope this helps!
Please let me know about your findings.
Thanks,
Rueben
so wanted to show you what I get from the flow when I try it/run it in the action flow side
shouldn’t it be outputting an error? Instead it just gives me a command
Hi @nana.zimmer,
You are missing a negation as mentioned earlier:
if(allowedIpForUserFinOrg != null && !allowedIpForUserFinOrg.includes(currentIp)) {
api.access.deny("Access is only allowed from inside your work network");
}
Please let me know how this goes.
Thanks,
Rueben
Sorry, the comments that my predecessor added are wrong, any IP address in the whitelist should be denied.
here’s the HAR file attached.
localhost.har (1.7 MB)
1 Like
Hi @nana.zimmer,
Thank you for the update.
After investigating the HAR file carefully, I noticed that after being denied access from the Action, you are initiating the login flow again before logging out. This is consistent with my findings with the first call made to /authorize, which immediately redirects to the Callback URL with the error message. At this point, if you press the Login button again while the session is alive, it will hit the /authorize endpoint and return the same error again without prompting for credentials.
In this situation, I recommend logging out before trying to log in again. The quickest way is to call the logout endpoint. Enter the following in your browser: https://superiorira-dev.us.auth0.com/v2/logout.
Then retry the login flow again, it should prompt you for credentials again.
Please let me know how this goes.
Thanks,
Rueben
Hi @rueben.tiow
So we don’t have a logout url, it looks like when you redirect to logout you get an ok on the screen but if you redirect to login screen you get the error page.
is there a way to show a different message on the generic error screen?
Hi @nana.zimmer,
Thank you for the reply.
I am going to move our conversation to DM’s so we can perform a deeper investigation without exposing too much about your tenant’s sensitive data on this thread.
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.