Why do social signups act like logins but email/passwords give an error?

colin.houghton123 · November 8, 2023, 12:51am

I read a great post here on this related subject, but it did not answer this specific question…

I note that if I Signup using google, that the next time I call Auth0 it logs me in if I accidentally use signup again. This is great! Because if my user accidentally presses my app’s Sign up button instead of Login by mistake, Auth0 still responds to my app and, since I already have them in my database, I can treat them as a log in. But if my user signs up to Auth0 using an email/password, then subsequently tries to sign up again using the same email/password, Auth0 says “Something went wrong. Try again later”. Of course, my user might be smart enough to press Auth0’s login link on the signup page and then they can log in.

Why is a google signup and a username/password signup treated differently? I would have thought that in both cases, finding that the user was in the Auth0 database, no matter if it was a google signup or it was an email/password signup, that Auth0 would respond to my App indicating the user was registered. Why the strange error message in the one case but not the other?

Thanks,
Colin

dan.woda · November 13, 2023, 6:07pm

Hi @colin.houghton123,

Welcome to the Auth0 Community!

I don’t have an answer as to the ‘why’ of social vs username/pw signup, but I can say that the error you are seeing is intentionally vague to prevent user enumeration attacks.

If you want a more verbose response (one indicating the user exists), you can change it in your tenant’s Settings → Advanced → Use a generic response in public signup API error message

If you have some feedback, feel free to drop us a line in our Feedback category.

Hope that helps!

system · November 28, 2023, 3:20pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.