Problem Statement
We need to block users from signing up with Social logins. Is there a way we can remove the Google registration option while still allowing people to log in using Google?
Solution
We don’t support disabling sign-ups but still allowing logins on a given social connection. If Google Social connection is enabled, the buttons will always appear on the signup tab when using Lock or New Universal Login, and a brand new user can use the “login with [SOCIAL CONNECTION]” button without signup.
A user can be blocked from obtaining tokens by a rule denying access to any social connection where the login count is 1 for example (see example below).
If it is still required to remove the signup buttons (although they are functionally identical to the login buttons for a social connection so this won’t stop “signups”) - a Custom UI such as one using Auth0.js would need to be developed.
Here are sample scripts for blocking social signup using Rules, (from Auth0 Actions):
function disableSocialSignups(user, context, callback) {
const CLIENTS_ENABLED = ['REPLACE_WITH_YOUR_CLIENT_ID'];
// run only for the specified clients
if (CLIENTS_ENABLED.indexOf(context.clientID) === -1) {
return callback(null, user, context);
}
// initialize app_metadata
user.app_metadata = user.app_metadata || {};
const is_social = context.connectionStrategy === context.connection;
// if it is the first login (hence the `signup`) and it is a social login
if (context.stats.loginsCount === 1 && is_social) {
// turn on the flag
user.app_metadata.is_signup = true;
// store the app_metadata
auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
.then(function(){
// throw error
return callback(new Error('Signup disabled'));
})
.catch(function(err){
callback(err);
});
return;
}
// if the flag is enabled, throw the error
if (user.app_metadata.is_signup) {
return callback(new Error('Signup disabled'));
}
// else it is a non-social login or it is not a signup
callback(null, user, context);
}
Please be noted that this rule will only stop tokens from being issued, so the application receiving the error should log the user out to avoid a loop if they retry while the session is still valid.