Rules and context.protocol === "oauth2-refresh-token"

Hi!

I’ve set up a rule to notify us when a user signs up (well, at least when they first sign in).

Following the guide here https://auth0.com/docs/rules/current I am using the following code to break out of the rule if the user had previously logged in, or is requesting a refresh token

  if (context.stats.loginsCount > 1 || context.protocol === 'oauth2-refresh-token') {
    return callback(null, user, context);
  }

Unfortunately the context.protocol is always set to “oidc-implicit-profile” regardless of whether the request is a login or requesting a refresh token. The documentation says refresh tokens should set context.protocol to “oauth2-refresh-token”

This means that we are getting alerts for every refresh, until the a user logs in again and increases their “loginsCount”.

I have only tested this using database logins so far and using auth0.checkSession to get the token.

Is this a bug, or am i misunderstanding something? We’d like to only send the alert on the first login (or ideally signup). I could potentially solve this by setting meta-data but I’m trying to avoid that solution, especially since the documentation says that technique isn’t needed.

Just bumping this, it seems like a bug

Does anyone have a workaround for checking if a login is a first login (not a renewal)

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?