Redirecting Users to a Signup Page if Account Does Not Exist

gabriela.pantea · November 18, 2024, 6:56pm

Overview

This article explains whether Auth0 supports using an identifier-first flow, where the user is taken to a login page if the user exists or a signup page if the user does not exist.

Applies To

Redirecting
Identifier-first
Login Page
Sign Up Page

Solution

Auth0 does not support redirecting a user to a login or sign-up page based on whether the user exists.

This flow introduces a security vulnerability for user enumeration attacks.
If bad actors can differentiate between an account that exists and an account that does not exist, then attackers can easily narrow down which users exist within an organization.

Please see the OWASP specifications for more information on this topic.

Topic		Replies	Views
Hook or Rule to redirect users who are not recognised Help	2	3382	August 26, 2019
Unable to Generate a “User doesn’t exist” Message During Login Knowledge Articles	1	688	October 13, 2023
Routing user based on existence in Auth0 upon Login Help identifier-first , login-experience	3	201	May 23, 2024
Surpressing “user_exists” response on signup Help auth0 , signup , security	4	3442	July 30, 2019
Email Notification that Username does not exist Help identifier-first , login-experience	2	304	February 15, 2024

Redirecting Users to a Signup Page if Account Does Not Exist

Overview

Applies To

Solution

Related Topics