Last Updated: Dec 17, 2024
Overview
Sometimes, Facebook users without an e-mail address appear even though the client has configured the Facebook social connection to request the scope “email” in the OAuth flow. This article details how this happens and clarifies whether it is possible to prevent this type of user.
Applies To
- Social Connection
Cause
Facebook does not always send an email for a user; sometimes, a Facebook account has no email associated with it, and Auth0 creates the user profile based on what Facebook returns.
Another possibility is that the user denies email permission when logging in via Facebook. When users authenticate, they are prompted to accept the permissions that the app has requested. The user can deny email, which could also be the cause of this issue.
Solution
To stop these users, use a Rule like the one linked below to detect if it is a social connection based account, and if so, check if there is an email field or not. If not, reject the login if no email is found. This would not stop the user’s profile from being created, as our pre-user registration Hooks / Actions only work for Database and Passwordless connections, but it could at least stop them from being able to complete the login.
The following is another option requiring more work but allowing users to sign up with Social accounts lacking emails. Create a user in a standard database connection with an email address and password and ask the user to sign up with one. Link the Facebook account to the standard database user, with the latter being the primary identity (this is important to get the email associated with the user). When they log in via Facebook, they will be logged into the standard database user, and there will be an email for their account. Refer to User Account Linking.