We have a custom trigger that redirects to logout, and then to our custom error page.
Why?
We are using SAML Addon, and some (many) vended apps using SAML do not display the deny reason when we deny with api.access.deny("blah") In general, we notice inconsistent behavior with api.access.deny("blah") accross different IdPs (like OIDC and SAML).
We do not need to support a continue scenario. If our authorization code determines a user should not be able to login to a client, we want them immediately to go to our custom error page with a friendly message on why they are not allowed and a link to contact support.
This will fail with “The returnTo URL is malformed”
const customErrorPageUrl = encodeURIComponent(
`${returnTo}?error_description=${message}`
);
const redirectionUrl = `https://${event.tenant.id}.us.auth0.com/v2/logout?returnTo=${customErrorPageUrl}`;
api.redirect.sendUserTo(redirectionUrl);
This will fail with “The returnTo URL is malformed”
const customErrorPageUrl = encodeURIComponent(
`${returnTo}#error_description=${message}`
);
const redirectionUrl = `https://${event.tenant.id}.us.auth0.com/v2/logout?returnTo=${customErrorPageUrl}`;
api.redirect.sendUserTo(redirectionUrl);
It is not possible to redirect to a custom error page with a reason.
The docs are not clear on this: Redirect Users with Alternative Logout
IE:
- The validation of URLs provided as values to the
returnToparameter, the query string, and hash information provided as part of the URL are not taken into account.
But they are taken into account… they are not allowed at all.
Is there an alternative to what we are trying to do? Once again to be clear, I want to STOP the login process, do not issue a token/cookie/session, do not allow a “continue” scenario, send them directly to an oopsies page. This should work on ALL IdPs consistently.