Redirect Blocked Users to a Custom Error Page Using Rules or Actions

lihua.zhang · January 27, 2023, 12:27am

Last Updated: Nov 25, 2024

Overview

An Auth0 Admin has blocked a user via the Auth0 dashboard, which adds the attribute blocked:true to the user’s profile. After authenticating, this user should get redirected by a Rule or Action to a custom error page. However, it’s been noticed that the Rule or Action does not execute when the user attempts to log in.

Applies To

Blocked User
Rules
Actions
Redirects

Cause

Blocks applied by tenant admins (blocked:true in user profile) will not trigger extensibility flows.

Solution

There is no extensibility point to catch users that are blocked (i.e. {“blocked”:true} in the user’s profile). This type of block skips all Rule/Action codes.

Currently, this would need to be handled on the Service Provider’s side. Upon receiving the “user is blocked” response, it would need to be able to parse this and display the error message or redirect the user to a page on the application that can show the desired message to them.

An alternative would be not to use the built-in block status and implement a custom blocked flag in the user’s app_metadata. This would allow the “blocked” user to initially be allowed to log in and trigger the extensibility flows, and then they could be redirected to a custom page or pass an unauthorized error to the callback URL before they obtain any tokens.

NOTE: When attempting this pattern, it is necessary to use a name for that custom blocked flag that does not conflict with other Auth0 root profile attribute names to avoid unexpected behavior.

e.g. For redirecting to a custom page, setting this in the user’s app_metadata: “custom_block”:true, and then having the following Rule:

function(user, context, callback){
  user.app_metadata = user.app_metadata || {};
  const custom_block = user.app_metadata.custom_block || false; //default to false if not set
  if (custom_block){
    // redirect users with custom block status true
    context.redirect = {
      url: "https://example.com/custom_block"
    };
  }
    return callback(null, user, context);
    
}

The following Action sample will also achieve the same behavior:

exports.onExecutePostLogin = async (event, api) => {
  event.user.app_metadata = event.user.app_metadata || {};
  let custom_block = event.user.app_metadata.custom_block || false;

  if (custom_block) {
    let token = api.redirect.encodeToken({
      secret: "mysecret",
      payload:{
        email: event.user.email
      }
    });

    api.redirect.sendUserTo("https://example.com/custom_block", {
      query: {token}
    });
  }
};

This will redirect the user to the configured URL with a querystring value.

Topic		Replies	Views
How to redirect blocked user to custom page? Help rules , actions	4	2413	February 2, 2023
How to redirect blocked user to custom-error page? Help classic-universal-login-experience , login-experience , other	0	1264	June 12, 2023
Post Login Action : How to know if the user is blocked Help login-experience , new-universal-login-experience	2	596	February 23, 2024
Is It possible to customize Blocked user page? Help	8	8231	January 8, 2020
Know if a user is blocked by brute force protection Help lock , auth0 , rules , login , blocked-account , block	4	3651	January 25, 2023

Redirect Blocked Users to a Custom Error Page Using Rules or Actions

Overview

Applies To

Cause

Solution

Related topics