I am using the Auth0 ASP.NET Core Authentication SDK with my .NET 6 MVC web application to authenticate users, and so far login and logout using the universal login page are working fine. I would juts like to only allow verified email addresses though, so I have just added a rule that a user must have a verified email before they can log in. The rule appears as follows:
function emailVerified(user, context, callback) {
if (!user.email_verified) {
return callback(
new UnauthorizedError('Please verify your email before logging in.')
);
} else {
return callback(null, user, context);
}
}
I would have expected Auth0 login to show the user this error when they try and log in without having a verified email, but instead the user (me) gets shown an Internal Server Error page with the following error message:
# An unhandled exception occurred while processing the request.
OpenIdConnectProtocolException: Message contains error: 'unauthorized', error_description: 'Please verify your email before logging in.', error_uri: 'error_uri is null'.
Unknown location
Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
I see the official documentation for “Force Email Verification” says,
Note: It might be a better UX to make this verification from your application.
I have no idea how to make this verification from my application and neither can I find any docs on doing so. I imagine I would somehow have to query an API that tells me whether the user has a verified email before allowing them to log in via Auth0, but I have no idea how to do this? Any tips or suggestions would be most welcome.