We are blocking unregistered social login users (Google/Apple) in a Post-Login Action. When a user who is not registered in our system authenticates via a social provider, we block them and redirect them to an informational screen.
Problem:
Despite blocking the user in the Post-Login Action, the social provider SSO session remains active. This causes the application’s silent authentication to immediately re-trigger, re-authenticate via the social provider, and hit the Post-Login Action again — creating a continuous loop.
We have tried:
- Deleting the Auth0 user — the social provider re-creates it on the next silent auth
- Deleting Auth0 sessions via
DELETE /api/v2/users/{id}/sessions— the session is re-created immediately - Unlinking the social identity via
DELETE /api/v2/users/{id}/identities/{provider}/{user_id}— reduces the loop but does not fully stop it as a new identity is created on the next attempt
Question:
What is the recommended approach to fully invalidate a social provider session from within a Post-Login Action so that silent re-authentication cannot occur after a user is blocked?