Logout or terminate auth0 session from a Rule

Hello,

For an application using google as provider
I used a rule to perform some checks on email so I can fail access to my app for some emails.

return callback(new UnauthorizedError(‘Your email is not authorized’));

When a user is attempting to use a valid google email but considered as not valid in my rule, it cannot access to my app which is what I want.
But then until auth0 session expires, he is always considered as authenticated with the invalid email, so it cannot use another email until the auth0 session expires.

I would prefer if possible to be able to logout the user from the rule, so he would be able to change email. Is it possible ?
I found no samples neither informations related to the ability to logout a user or terminate auth0 session from a rule.

Thanks for your help

2 Likes

Hello @arnaud.mergey,

You can clear the Auth0 session by redirecting the user from within the rule to your tenant logout URL. Note that this will not log them out of Google (usually we don’t want that anyway) so if they come back and “Log in with Google” using the same Google account, they will end up in the same place.

Hello @markd
thanks for the reply, redirect is working, but without stopping rule pipeline meaning

context.redirect = {
url: "https://domain/v2/logout
};
return callback(new UnauthorizedError(‘Your email is not authorized’),user,context);

is not redirecting to logout, so I need to that return callback(null,user,context); instead.
I cannot stop rules processing when error is detected to be able to logout

Correct me if I am wrong: are you ending up on a blank white page with the “Your email is not authorized” error in the URL? If so, maybe try replacing the return line to:

return callback(null, user, context);

Or maybe a hook would be a better fit for your use case?

return callback(null, user, context);

as I explained it is what I did but in this case all rules are executed which is not really an issue, but in best practice it is recommended to return an error in callback to stop rule pipeline when we know it will fails
like explained here https://auth0.com/docs/best-practices/rules#exit-early

hook is unfortunately not an option because I use github to deploy rules and it is not supported for hook (as I know)

1 Like

Hi, sorry to jump into your thread - but just adding a me too - I was about to post an identical question!

We have a set of social logins white listed in a rule - else we throw an UnauthorizedError(). But if the user picks the wrong social login - they get rejected fine… but they never get a chance to pick a new social login as the session keeps remembering their bad choice and trying to silently login with that.

(with all the same caveats that yes I could use context.redirect but prefer to abort early - as the intention is that the user doesn’t log in!)

Hi @andrewpatto,

By the time rules start to execute, the user is already logged in (session established). I’m not sure there is a way to do what you are trying to do, unless you can build that logic into Universal Login or roll your own login solution. The only point at which you can know the user’s login name (email address or username) but not be logged in is while the user is entering their details in Universal Login. Rules don’t handle pre-login events. I might be wrong on this. Someone else here may have some ideas.

That is correct. + as mentioned above rules are executed upon successful login

Did you ever find a solution @arnaud.mergey? I’m having the same problem :frowning:

I used the redirect suggested solution

context.redirect = {
url: "https://domain/v2/logout
};
return callback(null, user, context);

With the limitation of breaking auth0 recommendation https://auth0.com/docs/best-practices/rules#exit-early as following is not working for redirect:

return callback(new UnauthorizedError(‘Your email is not authorized’),user,context);

I did not find the ideal solution: stopping the rule pipeline as soon as the error is detected and ending the session after an error

1 Like