Preventing a user belonging to a group to access an application


I’m trying to prevent some users to access a specific application.

I’ve created a group is_not_application_user and attached the users that should not be accessing the application.

I have added a custom action:

exports.onExecutePostLogin = async (event, api) => {
  if (( === "Application") && !userRoles.includes("is_not_application_user"))
  api.access.deny(`Access to ${} is not allowed.`);

This action is inserted in login flow after the legacy rules.

If I test this with the application, I can never connect ( ?sso_failed=1). I can connect to the other application.

It should be a very basic thing but I m not good enough in programming :frowning:

Thank you in advance for your help.

1 Like

Hi @liechtjc,

Welcome to the Auth0 Community!

It looks like you are putting a not operator (!) in front of your condition when you should simply be checking for the condition itself. (i.e. userRoles.includes vs. !userRoles.includes).

Additionally, the variable you are using userRoles, does not exist. If you want to look at the user’s roles, you should be using the variable event.authorization.roles.

Finally, you are missing curly brackets {} for your conditional.

Hope this helps!

1 Like

Dear Dan,

Thank you very much for your help. This solved my problem. I’m sorry that I bother you with such trivial questions :frowning:

1 Like

No problem! I’m happy to help.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.