Question:
My application is getting an access_denied error at the end of the flow. Why is that?
Answer:
access_denied happens when Auth0 can’t issue a token (Auth0 refuses the authorization). It can happen for many reasons, and the error_description parameter usually provides a useful hint.
E.g.
Service not found: […some invalid audience provided in the token request…]
User has canceled the interaction.
The most common source of these errors, however, is rules or actions. E.g. if you have A rule like this:
function(user, context, callback) {
if (someCondition()) {
return callback("You can't log in");
}
[...]
}
This will generate an access_denied error, with error_description=You can't login. Same thing for Actions:
exports.onExecutePostLogin = async (event, api) => {
api.access.deny("You can't log in");
};
A very common gotcha is that uncaught errors in rules or actions will also generate an access_denied error. E.g. this:
function(user, context, callback) {
// if user_metadata is not defined, this will cause a
// runtime error
const favorite_color = user.user_metadata.favorite_color;
[...]
}
The code above will fail if user_metadata is not defined, throwing a Can't access property "favorite_color" of undefined error. This will end up as an access_denied error, with Can't access property "favorite_color" of undefined in the error_description.
So, if you get access_denied, check your rules first!
Note
If you return a new UnauthorizedError("some message") object in the callback, you get unauthorized instead of access_denied as the error.
function(user, context, callback) {
if (someCondition()) {
return callback(new UnauthorizedError("You can't log in"));
}
[...]
}
This causes:
error=unauthorized
&error_description=You can't log in
For a demonstration of this issue, refer to the following video.
