Ruby on Rails Authorization

I’m very new to auth0. I have a Ruby on Rails app that uses auth0 for authentication. What I would like to do is only allow sign up/log in based on email address. For example, let’s say I have Apple and Boeing as clients. I only want people with email addresses that end in or to be able to log in to the app. How can I implement this with auth0? Is there some way I can say if the email address doesn’t contain or then don’t allow that person to log in or sign up?

Hey there Shawn!

Great to have you in our community. You can accomplish that using our Rules feature. Here’s the one you need:

Whitelist for a specific app rule

function (user, context, callback) {

  // Access should only be granted to verified users.
  if (! || !user.email_verified) {
    return callback(new UnauthorizedError('Access denied.'));

  // only enforce for NameOfTheAppWithWhiteList
  // bypass this rule for all other apps
  if(context.clientName !== 'NameOfTheAppWithWhiteList'){
    return callback(null, user, context);

  const whitelist = [ '', '' ]; // authorized users
  const userHasAccess = whitelist.some(function (email) {
    return email ===;

  if (!userHasAccess) {
    return callback(new UnauthorizedError('Access denied.'));

  callback(null, user, context);

You can customise it going to the rules section in your dashboard.

Hi Konrad,

Thanks for getting back to me so quickly. This works fine for signing up through Username-Password-Authentication, but it doesn’t work when logging in through oauth2. For example, I can still log in through google-oauth2, even though my email address domain is not in the whitelisted email addresses. How can I also check email address domains before letting someone log in through oauth2?

You’re right! In terms of social login it won’t work. Let me do a little bit of research and tell you how you can approach that!

So it depends…

If the social connection is able to return a verified user email address then it should be possible. It will depend on social connection though.