Should user and org id be returned in URL on error?

Just dived into Auth0 using the Username-Password-Authentication connection. I’m in Vue with the @auth0/auth0-vue package.

I’m just curious if passing this much Personally Identifiable Information like below in the URL parameters is a good practice ?

Maybe I’am missing some config ?

This is how loginWithRedirect() returns when user is not in organization:

localhost:4001/login?error=access_denied&error_description=user+auth0|68dec40e…..+is+not+part+of+the+org_JM7T……..+organization&state=MTVROFNOTH……

Hello @anders5,

Welcome to the Auth0 Community!

This is actually considered expected behavior in this scenario, and while this looks like providing a bit more information in case of a failed attempt to authenticate an user, it follows the standards of the OAuth 2.0, which implies redirecting back to your application with specific error and error_description query parameters.

However though, in Auth0 you can customize the error description received by your application using a Post-Login Action. You can modify the reason from the api.access.deny(reason) object since the post-login - API Object described the reason parameter as:

String. A human-readable explanation for rejecting the login. This is sent as error_description to the application that initiated the request.

Best regards,

Remus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.