Redirect user back to login page with error message displayed

We have social login with Google as the only option for login on our app now. For now, we have a allowlist of emails that are allowed to login with Google. I’ve created a post-login action that checks on a list.

I saw from posts like these: Api.access.deny and api.redirect.sendUserTo looping after call in login action that we can’t use api.access.deny because it sends the page into an infinite redirect loop. I’ve added the logout to the action and I currently have it redirecting to the entrypoint page of our app. However, what I’d like is to redirect back to login with an error message shown. I’ve tried setting the query params for error_description and error, but I can’t get the error message to show. I’ve also tried setting it to just my tenant URL, but that gives me an error.

Can someone give me some advice as to what the returnTo URL should be in order to just redirect to the login screen with an error? Do I have to setup a custom error page?

2 Likes

I was wondering if anyone could help me with this? Or provide an update?

I too am experiencing the same issue. In my use case, most users have access to only one of the many applications configured. I am using a login flow Action to control this access.

I have removed the api.access.deny() call and replaced it with api.redirect.sendUserTo(‘https://{my domain}.eu.auth0.com/v2/logout’) call which works in that the user is logged out with a simple “OK” message on the screen. If I immediately use api.redirect.sendUserTo({URL}) following the logout, I am redirected to the URL but the user was not logged out and a state value is included in the address bar and results in the infinate loop again.

When I add the returnTo parameter to the logout, I get an error that the URL is not in my Allowed Logout URL list although it most assuredly is. Another suggestion in this case is to include ‘?client_id={CLIENT_ID}’ and therein lies the rub. I need to be able to obtain the current CLIENT_ID value the user is using (which application they are attempting to login to).

The client_id can be obtained via event.client.client_id. Using this I can redirect back to the login page and the user is logged out however, there is no indication to the user that anything is wrong like why the login failed.

I expect that the web page redirected to will need to be a page that provides the “Not authorized” message.