Remove social sign ups from universal login but still allow logins

Problem Statement

We need to block users from signing up with Social logins. Is there a way we can remove the Google registration option while still allowing people to log in using Google?

Solution

We don’t support disabling sign-ups but still allowing logins on a given social connection. If Google Social connection is enabled, the buttons will always appear on the signup tab when using Lock or New Universal Login, and a brand new user can use the “login with [SOCIAL CONNECTION]” button without signup.

A user can be blocked from obtaining tokens by a rule denying access to any social connection where the login count is 1 for example (see example below).

If it is still required to remove the signup buttons (although they are functionally identical to the login buttons for a social connection so this won’t stop “signups”) - a Custom UI such as one using Auth0.js would need to be developed.

Here are sample scripts for blocking social signup using Rules, (from Auth0 Actions):

function disableSocialSignups(user, context, callback) {

  const CLIENTS_ENABLED = ['REPLACE_WITH_YOUR_CLIENT_ID'];
  // run only for the specified clients
  if (CLIENTS_ENABLED.indexOf(context.clientID) === -1) {
    return callback(null, user, context);
  }

  // initialize app_metadata
  user.app_metadata = user.app_metadata || {};

  const is_social = context.connectionStrategy === context.connection;
  // if it is the first login (hence the `signup`) and it is a social login
  if (context.stats.loginsCount === 1 && is_social) {

    // turn on the flag
    user.app_metadata.is_signup = true;

    // store the app_metadata
    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
      .then(function(){
        // throw error
        return callback(new Error('Signup disabled'));
      })
      .catch(function(err){
        callback(err);
      });

    return;
  }

  // if the flag is enabled, throw the error
  if (user.app_metadata.is_signup) {
    return callback(new Error('Signup disabled'));
  }

  // else it is a non-social login or it is not a signup
  callback(null, user, context);
}

Please be noted that this rule will only stop tokens from being issued, so the application receiving the error should log the user out to avoid a loop if they retry while the session is still valid.

1 Like