Auth0 Home Blog Docs

Rules and context.protocol === "oauth2-refresh-token"



Hi! :slight_smile:

I’ve set up a rule to notify us when a user signs up (well, at least when they first sign in).

Following the guide here I am using the following code to break out of the rule if the user had previously logged in, or is requesting a refresh token

  if (context.stats.loginsCount > 1 || context.protocol === 'oauth2-refresh-token') {
    return callback(null, user, context);

Unfortunately the context.protocol is always set to “oidc-implicit-profile” regardless of whether the request is a login or requesting a refresh token. The documentation says refresh tokens should set context.protocol to “oauth2-refresh-token”

This means that we are getting alerts for every refresh, until the a user logs in again and increases their “loginsCount”.

I have only tested this using database logins so far and using auth0.checkSession to get the token.

Is this a bug, or am i misunderstanding something? We’d like to only send the alert on the first login (or ideally signup). I could potentially solve this by setting meta-data but I’m trying to avoid that solution, especially since the documentation says that technique isn’t needed.


Just bumping this, it seems like a bug

Does anyone have a workaround for checking if a login is a first login (not a renewal)