Cannot Get Back to Login Screen After an Action Denies Access

ActionsAPI
Feb 20, 2026
Overview

This article explains why a user may not be able to return to the login screen after being denied access by a Post-Login Action and how to resolve this issue. When a Post-Login Action calls api.access.deny(), the user's session may persist, causing a redirect loop if not handled correctly.

Applies To

  • Auth0 Actions

  • api.access.deny()

  • Post-Login Flow

Cause

The api.access.deny() method in a Post-Login Action is designed to stop the authentication flow and prevent a user from logging in. However, it does not automatically terminate the user's existing session with Auth0.

If a user has an active session and is denied access by an Action, subsequent login attempts will not prompt for credentials. Instead, the active session is detected, the Post-Login Action runs again, and api.access.deny() is called again, creating a redirect loop where the user is continuously sent back to the application with an access_denied error.

Solution

To prevent this redirect loop and allow the user to return to the login screen, the user's session must be terminated after access is denied. This can be accomplished by redirecting the user to the Auth0 logout endpoint from within the Post-Login Action.

Example Action Script:

This script first denies access and then immediately redirects the user to the logout endpoint. The returnTo parameter in the logout URL should be set to the application's login page or a custom error page.

exports.onExecutePostLogin = async (event, api) => {
  const shouldDeny = true; // Replace with your custom logic

  if (shouldDeny) {
    const logoutURL = `https://${event.tenant.domain}/v2/logout`;
    const redirectURI = `https://${event.tenant.domain}/`; // Or a custom error page

    api.redirect.sendUserTo(logoutURL, {
      query: {
        client_id: event.client.id,
        returnTo: redirectURI
      }
    });

    return; // Stop further execution
  }
};

Key Implementation Details:

  • api.redirect.sendUserTo(): This method redirects the user to the specified URL. It should be used instead of api.access.deny() in this scenario.

  • Logout URL: The URL must be the /v2/logout endpoint for the tenant.

  • client_id: This ensures that the user is logged out of the correct application.

  • returnTo: This parameter specifies where the user should be redirected after the logout is complete. This URL must be added to the Allowed Logout URLs list in the tenant or application settings.

By redirecting the user to the logout endpoint, their session is terminated, and they will be presented with the login screen on their next attempt to access the application.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community