Why am I getting weird error when enabling domain whitelisting?

I have set this rule in auth0 pipeline tab

function emailDomainWhitelist(user, context, callback) {
  // Access should only be granted to verified users.
  if (!user.email || !user.email_verified) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  const whitelist = ['vvce.ac.in']; //authorized domains
  const userHasAccess = whitelist.some(function (domain) {
    const emailSplit = user.email.split('@');
    return emailSplit[emailSplit.length - 1].toLowerCase() === domain;
  });

  if (!userHasAccess) {
    return callback(new UnauthorizedError('Access denied.'));
  }

  return callback(null, user, context);
}

The above code works fine If logged in first with email containing proper domain name .
However If I log in with other domain I get error as unauthorized (Access denied.)
That is also fine for me .

The problem is that every time I click on sign in button I get the same error without the sign in box shown (no way to sign in using proper domain once you use different domain).
I even tried going to localhost:3000/api/auth/logout to logout in next.js .
It still gives the same error .

Hi @hussamkhatib

This is a side effect of the way the authorization pipeline works with rules:

  1. User logs in
  2. An authenticated session is established (i.e. Auth0 remembers who the user is)
  3. Rules run (where you can optionally deny authorization).

Now, the next time the application requests an authorization since an authenticated session is already in place Auth0 can go to the rules stage directly without prompting the user to log in again.

What you can do from the application is send Auth0 a hint (with the parameter prompt=login in the authorization request) so that Auth0 will ask the user to authenticate again (giving the user the opportunity to use a different set of credentials).

You might want to use prompt=login only as a fallback mechanism (after the application got the access_denied error from Auth0) to avoid regular users from being prompted to authenticate more than necessary.

Another option is to make the application redirect the user to the logout endpoint after receiving the access_denied error, so that the session with Auth0 is cleared and the login screen will be displayed the next time an authorization is requested.

Hope that helps!

2 Likes

Thanks for a having a look @nicolas_sabena
Can I know where can I can pass the parameter prompt=login , in client side or in the auth0 dashboard , any links will be helpful.
This link seem not to be helpful about how to pass param’s prompt: login

Another option is to make the application redirect the user to the logout endpoint after receiving the access_denied error, so that the session with Auth0 is cleared and the login screen will be displayed the next time an authorization is requested.

Unfortunately that wont work because , I still use to get the error , If I manually enter the logout route in next.js

It seems that you are using next.js. I’m not super familiar with the SDK, but it seems that to pass external parameters you can provide custom handlers to handleAuth, according to the comments in https://github.com/auth0/nextjs-auth0/blob/main/src/handlers/auth.ts.
So instead of exporting handleAuth() directly from the SDK (as in https://github.com/auth0-samples/auth0-nextjs-samples/blob/main/Sample-01/pages/api/auth/[...auth0].js), you can do this:

/**
* If you want to add some custom behavior to the default auth handlers, you can pass in custom handlers for
* `login`, `logout`, `callback` and `profile` eg
**/
// pages/api/auth/[...auth0].js
import { handleAuth, handleLogin } from '@auth0/nextjs-auth0';
import { errorReporter, logger } from '../../../utils';

export default handleAuth({
  async login(req, res) {
    try {
       // Pass in custom params to your handler
      await handleLogin(req, res, { authorizationParams: { prompt: 'login' } });
    } catch (error) {
      // Add you own custom error logging.
      errorReporter(error);
      res.status(error.status || 500).end(error.message);
    }
  }
});

The repo at https://github.com/auth0/nextjs-auth0 has some additional information in the readme that you might find useful.

Unfortunately that wont work because , I still use to get the error , If I manually enter the logout route in next.js

That should work if the logout endpoint in Auth0 is being hit. Maybe there’s something else in the flow preventing the logout? Does logout work under normal circumstances? Do you see a “successful logout” entry in the tenant logs when you do that?

That should work if the logout endpoint in Auth0 is being hit. Maybe there’s something else in the flow preventing the logout? Does logout work under normal circumstances? Do you see a “successful logout” entry in the tenant logs when you do that?

logout does work under normal circumstances.
I dint check the logs , in fact I haven’t been checking It at all elsewhere too.

The first solution is working for me . I have not added any fallback (calls login prompt only if denied)
for now though.

2 Likes

Perfect! Glad to hear that!

1 Like