Redirect Blocked Users to a Custom Error Page Using Rules or Actions

Problem statement

I am trying to check if authenticated users are blocked with blocked: true in the profile so that I can redirect to the error page in place of the SAML response to the SP application.

I tried with the rules and actions, but they were not executed. Could you please let me know the way to handle this scenario?

Cause

Blocks applied by tenant admins (blocked:true in user profile) will not trigger extensibility flows.

Solution

There isn’t an extensibility point to catch users that are blocked (i.e. {“blocked”:true} in the user’s profile). This type of block skips all Rule/Action code.

Currently, this would instead need to be handled on the Service Provider side upon receiving the “user is blocked” response, it would need to be able to parse this and display the error message, or redirect the user onto a page on the application which can show the desired message to them.

An alternative would be not to use the built-in block status, and implement a custom blocked flag in the user’s app_metadata. This would allow the “blocked” user to initially be allowed to log in and trigger the extensibility flows, and then they could be redirected to a custom page or pass an unauthorized error to the callback URL before they obtain any tokens.

Note: When attempting this pattern it is necessary to use a name for that custom blocked flag that does not conflict with other Auth0 root profile attribute names, to avoid unexpected behavior.

e.g. For redirecting to a custom page, setting this in the user’s app_metadata: “custom_block”:true, and then having the following Rule:

function(user, context, callback){
  user.app_metadata = user.app_metadata || {};
  const custom_block = user.app_metadata.custom_block || false; //default to false if not set
  if (custom_block){
    // redirect users with custom block status true
    context.redirect = {
      url: "https://example.com/custom_block""
    };
  }
    return callback(null, user, context);
    
}

The following Action sample will also achieve the same behavior:

exports.onExecutePostLogin = async (event, api) => {
  event.user.app_metadata = event.user.app_metadata || {};
  let custom_block = event.user.app_metadata.custom_block || false;

  if (custom_block) {
    let token = api.redirect.encodeToken({
      secret: "mysecret",
      payload:{
        email: event.user.email
      }
    });

    api.redirect.sendUserTo("https://example.com/custom_block"", {
      query: {token}
    });
  }
};

This will redirect the user to the configured URL with a query string value.