Non-whitelist email domain still creates a session

jane.d · February 5, 2021, 4:13am

hi

i’m facing a problem similar to this.

i’ve successfully integrated auth0 into my vue app following these steps. i’ve also restricted email domains following this instruction.

this works fine until a user signs in with an email that is not whitelisted. after an unauthorized sign in, i’m guessing that a session is still created because it is a valid google account. then, the whitelist rule steps in and prevents authentication (meaning $auth.isAuthenticated still returns false). when the user tries to sign in again, they’re unable to access auth0’s sign-in page again and is returned to https://localhost:<PORT>/?error=access_denied&error_description=Access%20denied.&state=<STATE> and they’re not redirected to any auth0 error page.

i did some testing. if i were to $auth.logout({returnTo: window.location.origin}); after signing in with a non-whitelisted email, i can sign in again. otherwise, clearing sessions/cookies locally will still prevent me from signing in again. adding a logout button means an extra step for the user, so it is not an ideal solution.

is there a way to prevent a session from being created if it is a not whitelisted email domain? if not, it’s fine. i just need to make sure the user is able to access auth0 sign in page again and re-signin after authentication is prevented because of a non-whitelisted email domain.

do you have any suggestion on how to achieve the desired behavior? please help this newbie out with plain explanations

stephanie.chamblee · February 8, 2021, 2:46pm

Hi @jane.d,

Welcome to the Community!

Unfortunately, Rules will execute after a user session has been created, and so you can’t prevent a session at that point.

The application is responsible for displaying an error message based on the error_description passed back as a query param.

However, you can end the user session like in the topic you referenced:

function emailDomainWhitelist(user, context, callback) {

  // Access should only be granted to verified users.
  if (!user.email || !user.email_verified) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  const whitelist = ['example.com', 'example.org']; //authorized domains
  const userHasAccess = whitelist.some(
      function (domain) {
        const emailSplit = user.email.split('@');
        return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
      });

  if (!userHasAccess) {
    context.redirect = { url: "https://YOUR_DOMAIN.YOUR_REGION.auth0.com/v2/logout?returnTo=http%3A%2F%2Flocalhost%3A3000%3Fmsg%3Daccess_denied&client_id=YOUR_APP_CLIENT_ID" };
    return callback(null, user, context);
  }

  return callback(null, user, context);
}

In the code above, if the user does not have access, they will be logged out and redirected to http://localhost:3000/?msg=access_denied

You could display an error based on the query param you send back.

jane.d · February 9, 2021, 4:47am

hi @stephanie.chamblee,

thank you for the helpful solution!

system · February 24, 2021, 4:48am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting "access_denied" error after verifying my email address Help login , access_denied , auth0-spa-js	8	4265	September 1, 2021
Destroy session Auth0 through back express Help login-experience , new-universal-login-experience	6	571	December 28, 2023
Custom Action: user stays logged into Auth0 after api.access.deny Help login-experience , new-universal-login-experience	10	71	September 25, 2024
Email / Password login fails on new app in Development mode Help connections , custom-database-connections	17	1594	August 28, 2023
Auth0 log me out after backend set email verified equal true Help login-experience , signup-prompt-new-experience	5	31	August 21, 2024

Non-whitelist email domain still creates a session

Related Topics