We’re using Google as our identity provider to log into our application.
When a user with a valid Google account but unauthorised in our application tries to log in using the Auth0 Lock they are redirected correctly to the login page.
When they try to log in with a different Google account by clicking the “Log in with Google” button, it attempts to log them in with the first Google account, not giving them a chance to choose a different one.
This results in the user being stuck in a loop in which they’ll be unable to log in to our application unless they manually log out of their Google account.
We attempted to implement the federated logout outlined in the documentation, but as this results in forced logout of the Google account we are not interested in this option.
1 Like
Google supports the ability to specify a parameter in the authentication request that suggest that the account chooser should be displayed in order to let the user have the opportunity to select an account different than the current one.
You can configure Lock (assuming latest version) so that it sends this parameter to Google by doing something similar to the following:
var options = { auth: { params: { } } };
// ... (set other relevant auth params)
options.auth.params.prompt = "select_account";
lock.show(options);
Ideally you would do the above only when showing Lock after knowing that a previous attempt without the prompt parameter failed because the Google account in question was not authorized for your application. With this conditional behavior you can let users authenticate automatically when the accounts are authorized and only force the account selection after having received an error.
1 Like