Auth0 helps prevent application impersonation by prompting users to confirm logins from non-verifiable callback URIs, such as custom schemes or loopback URIs.

Turning off the confirmation prompt via configuration or avoiding the use of a non-verifiable callback URI ensures the service does not display the prompt. However, enabling the prompt and using a non-verifiable callback URI by itself does not guarantee its display, because the prompt appears only when the user has not had to complete any other prompts as part of the authentication request.

As a result of this behavior, it is important to follow a defined approach when testing the confirmation prompt.

• Applications
• Universal Login
• Non-Verifiable Callback URIs

On a development tenant, guarantee the following pre-requirements:

• Enable the prompt globally (Auth0 Dashboard > Settings > Advanced) via the Non-Verifiable Callback URI End-User Confirmation setting.
• Create an OIDC-conformant test application to use a non-verifiable callback URI and allow authentication through a database connection.
• Set the Multifactor Authentication (MFA) policy to Never and do not trigger MFA from any custom post-login extensibility.
• Ensure that any post-login extensibility does not trigger a redirect.
• Ensure that the tenant-level session lifetimes are greater than the time required to perform the steps below.

To trigger the confirmation prompt, perform the following steps:

1. In a new browser session, start a login request (/authorize) for the test application.
2. Complete the user login by submitting the user credentials and, if required, accepting the standard consent prompt.
3. In the same browser session, start a second login request for the test application. This request must omit the prompt parameter.

At step 3, the user confirmation prompt will display because there is a valid authentication session and no other prompts are required, such as MFA. In summary, the user confirmation prompt displays when the login request would otherwise complete without user interaction.

For quicker testing, start by using an Auth0 quickstart. For example, the JavaScript (Single Page App) quickstart runs on a localhost URL (non-verifiable callback URI). To get started, open the quickstart home page on two browser tabs. In the first tab, select Login and complete the first two steps of the process. Then, in the second tab, select Login to perform the final step.