Prevent User Creation From Social Logins Within Auth0
This article explains a workaround to prevent users who sign in via a social connection from being permanently added to the user list in Auth0. Since the signup process for social logins occurs at the external identity provider, a direct prevention method is not available.
- Social Login
- User Creation
- Auth0
When a user authenticates through a social connection, the signup and profile creation are managed by the external identity provider (for example, Google, GitHub), not Auth0. This process automatically creates a user profile in Auth0, with no built-in feature to block it beforehand.
To prevent a new user from being added to the User Management list after a social login, create a Login Action that checks if the user already exists. If the user does not exist, the Action will deny login and delete the newly created user profile. Here is how to Write Your First Action.
In the Action editor, add code that uses the Management API to search for the user. If the user is not found, the code should deny access and delete the user profile from Auth0.
Example Post-Login Action:
/**
* Post-Login Action: Block new social login signups
*
* Prevents new users from being permanently added via social connections.
* If a user has no prior logins (just auto-created by the social IDP),
* their Auth0 profile is deleted and access is denied.
*
* Required secrets:
* AUTH0_DOMAIN - tenant domain, e.g. mytenant.auth0.com (NOT a custom domain)
* MGMT_CLIENT_ID - M2M app client ID with delete:users permission
* MGMT_CLIENT_SECRET - M2M app client secret
*
* Required npm module: auth0
*/
const SOCIAL_STRATEGIES = new Set([
'google-oauth2',
'github',
'facebook',
'twitter',
'linkedin',
'microsoft',
'apple',
'windowslive',
'yahoo',
]);
exports.onExecutePostLogin = async (event, api) => {
const strategy = event.connection.strategy;
if (!SOCIAL_STRATEGIES.has(strategy)) {
return;
}
// logins_count === 1 means the user was just auto-created by this social login
if (event.stats.logins_count !== 1) {
return;
}
// Linked accounts: Auth0 resolves the primary identity, so event.user.user_id will carry
// the primary connection's prefix (e.g. "auth0|...") even when logging in via a social
// connection. If the prefix doesn't match the current strategy, this is an existing user
// who linked a social account — allow them through and do not attempt deletion.
const primaryStrategy = event.user.user_id.split('|')[0];
if (primaryStrategy !== strategy) {
return;
}
const { ManagementClient } = require('auth0');
const mgmt = new ManagementClient({
domain: event.secrets.AUTH0_DOMAIN,
clientId: event.secrets.MGMT_CLIENT_ID,
clientSecret: event.secrets.MGMT_CLIENT_SECRET,
});
try {
await mgmt.users.delete(event.user.user_id);
} catch (err) {
console.error(`Failed to delete unregistered social user ${event.user.user_id}: ${err.message}`);
}
api.access.deny(
'Your account is not registered. Please contact an administrator to request access.'
);
};
