Unable to provide auth0 authenticated users with an Access Denied experience


We’re implementing an Auth0 solution for one of our clients, and so far the documentation has been spectacular. External users are able to sign in and sign out successfully. Unfortunately, we’re experiencing some issues covering a fairly common edge case and we seem to be stuck. The edge cases revolves around providing users with an Access Denied experience.

First off, we are using the Microsoft.AspNetCore.Authentication.Cookies and Microsoft.AspNetCore.Authentication.OpenIdConnect packages along with Asp Net Core 2.2.

I think a quick overview may help to describe our overall auth0 implementation architecture. Essentially, external users follow this flow:

    1. User clicks sign in with their domain, and they are routed to their login page.
    1. External User signs in with their credentials.
    1. When the external user is routed back to the app, we sign them in with a corresponding local account into our system.
    1. We then sign them out of Auth0.

However, we are experiencing an issue at step 3 for a common edge case. When the external user is routed back to the app, but does not have a valid matching local user we would like to show an Access Denied error page. Unfortunately, we have not been able to figure out a solution, and consequently in our QA environment we get stuck on the /callback page with a 502 Bad Gateway error.

I’m hoping that there is a known solution out there for handling Access Denied errors when the user is able to externally authenticate, but their account does not have access locally to the system.