I am seeking some clarity on Auth0’s authentication failure strategy specifically. I am using the omniauth-auth0
gem implementation in Ruby on Rails that was recommended in the Quickstart guide. I am using authorization flow with Universal Login.
- Does this implementation of Auth0 use OmniAuth’s defaults for authentication failure? For example, is the
/auth/failure
route always used for authentication errors? Are there scenarios where errors are sent to/callback
instead? - Is there an example authentication error response that I can see? The
omniauth-auth0
docs (I’m not allowed to include links) have an example of a successful authentication response but I didn’t see anything about failures. I was able purposely trigger a failure due to a missing client secret and see the response but I wasn’t sure if all authentication failures were structured like that.
These questions also relate to how I set up my tests. For example, the regular OmniAuth documentation (again, can’t link to it) recommends using this to mock failure:
OmniAuth.config.mock_auth[:twitter] = :invalid_credentials
So, I simply adjusted it in my test helper:
# /spec/support/auth0_helpers.rb
def mock_auth0_failure(message: "Authentication failed")
OmniAuth.config.test_mode = true
OmniAuth.config.mock_auth[:auth0] = :invalid_credentials
end
And by default, OmniAuth raises exceptions in development and test environments rather than redirecting, so I’m overriding this behavior to make sure my controller action is hit:
# /config/initializers/auth0.rb
if Rails.env.development? || Rails.env.test?
OmniAuth.config.on_failure = Proc.new do |env|
OmniAuth::FailureEndpoint.new(env).redirect_to_failure
end
end
However, I want to make sure my test assumptions are correct, otherwise they are not very useful. I tried searching the Auth0 docs (for example, the pre-deployment checks) but couldn’t find information specific to failures in OmniAuth with Universal Login. If there’s documentation I simply missed, please feel free to direct me that way.