Raise Errors from Rules

The Auth0 login page can’t display an error message from a rule. If you want users to see a custom message raised from a rule, your app must display that message.

Any error resulting from a rule goes to your callback URL in the protocol’s standard response mode. For example, if your application requests authentication using OIDC/OAuth2, it receives a standard OAuth2 error with error and error_description result values.

Suppose your callback URL is https://travel0.com/callback and you’re using the standard query response mode. You would receive this response:

https://travel0.com/callback?error=access_denied&error_description=[The message you wrote in the rule]

It’s the role of your app to display the message to the user, such as:

Sample error message that reads

Retry login after a rule error

A likely next step is to request a new authorization. However, in most cases, Auth0 already knows who the user is and so doesn’t ask for login information. Instead, rules run immediately and the rule denies authorization again. This can become an endless loop.

The user needs an opportunity to provide new credentials. There are two ways your app can make the login page display again:

  • Add a directive in the request to force the display of the login page:

    • Use a prompt=login parameter to an OIDC/OAuth2 request.

    • Use a ForceAuthn="true" attribute in a SAML request.

—or—

  • Log the user out of Auth0 before you send a new request.

Learn more