Problem statement
When using social logins, after any uninvited users click on the sign-in buttons (Google or GitHub), they will be refused entry, but a user entry will still be created in the “User Management” list. This article explains how to achieve the behavior that a user profile should not be created in the User Management list if they cannot successfully sign in.
Cause
This is expected because with Social Connections, since you are relying on social partner for users - this means the social partner can create users. The signup does not happen at Auth0, but at the external identity provider. There’s no way of stopping signup of social logins, because conceptually the signup does not happen at Auth0, but at the external identity provider.
Solution
To prevent a user profile from being created in the User Management list in these circumstances:
- Create a Login Action search for the User using the Management client.
- If the user exists, allow logins and run Account Link to merge the user profile.
- If the user does not exist, deny login access and delete the user profile.