Logout via onExecutePostLogin action

Hello, I only want to allow logins from verified users - I currently achieve that by denying login in onExecutePostLogin - however I would like to logout the users instead and give them an opportunity to verify their email and then log back in - thus I would like redirect them to the /oidc/logout endpoint - but I’m unable to correctly construct the id_token_hint that I must pass as a parameter to the logout-endpoint - how do I construct that from the (event, api) parameters pased into onExecutePostLogin ?

exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {

//*logout* unverified user rather than deny them via api.access.deny(..) - this way they 


}
};

Thanks a lot for your help!!

1 Like

Hey there @torefindsen welcome to the community!

The ID token isn’t available via the event or api objects from an Action - Tokens will only be returned after the Action code executes.

Hope this helps to clarify!

Hi @tyf - thanks a lot for your reply - but does this mean I cannot log the user out in the PostLogin action? What are my options then for creating a somewhat intuitive worflow for a user that signs-up? Until they have verified their email they will be ‘logged’ in but dnied by my post-login action?

Br
Tore

Hey @torefindsen sorry for the delayed response here - You won’t be able to log a user out from within a post login action as the user hasn’t successfully logged in until the action is complete.

This is the standard way to approach requiring users to verify their email prior to logging in:

Users won’t be able to fully log in to your app until they’ve successfully verified their email.

Hope this helps!

Hey @tyf

We are experiencing the same issue as mentioned is this ticket. And we deny Access to the application. But with denying access we only deny access to the application, but the user stays logged in in Auth0.

And because we did not login the user in the application the user cannot logout to switch the account in Auth0 and is unable to login with a different email address.

Is there a way to logout the user from Auth0 also when denying access to the application?

Kind regards
Arne

4 Likes

I’d also be interested in knowing whether there is a way to log a user out of Auth0 while also denying access.

2 Likes

Correct me if I am wrong here @tyf, but would they be able redirect users to the tenant’s logout endpoint via the Post-Login Action’s api.redirect.sendUserTo function?

i.e.

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.redirect.sendUserTo('https://TENANT_DOMAIN/v2/logout', {
      query: { returnTo: 'WHITELISTED_LOGOUT_URL' }
    });
  }
};

The WHITELISTED_LOGOUT_URL can be a custom error page they’ve set up to notify the user that they must verify their email address before logging in.

Although I understand that this won’t work for post-login flows initiated with prompt=none as noted in: Redirect with Actions

3 Likes

Hey @gparascandolo thanks for jumping in here!

That totally makes sense to me and seems a good solution - Something similar is mentioned here:

Hope this helps everyone!

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.