Just dived into Auth0 using the Username-Password-Authentication connection. I’m in Vue with the @auth0/auth0-vue package.
I’m just curious if passing this much Personally Identifiable Information like below in the URL parameters is a good practice ?
Maybe I’am missing some config ?
This is how loginWithRedirect() returns when user is not in organization:
localhost:4001/login?error=access_denied&error_description=user+auth0|68dec40e…..+is+not+part+of+the+org_JM7T……..+organization&state=MTVROFNOTH……
Hello @anders5,
Welcome to the Auth0 Community!
This is actually considered expected behavior in this scenario, and while this looks like providing a bit more information in case of a failed attempt to authenticate an user, it follows the standards of the OAuth 2.0, which implies redirecting back to your application with specific error and error_description query parameters.
However though, in Auth0 you can customize the error description received by your application using a Post-Login Action. You can modify the reason from the api.access.deny(reason) object since the post-login - API Object described the reason parameter as:
String. A human-readable explanation for rejecting the login. This is sent as error_description to the application that initiated the request.
Best regards,
Remus