Action login flow - acr value from upstream Okta IDP is not being populated for Auth0 to leverage

Hi all,

Scenario: I have a SPA application connected with Auth0 and Okta acting as an IDP.

Context: I am trying to leverage a Login Action to check the acr value to inform Auth0 if 2fa has already been performed upstream on the IDP. This will allow me to apply some logic to either allow the user to progress through to the app if the user has previously performed 2fa on a IDP organisation or if not, enforce another event such as a local Auth0 Guardian enrolment.

Action Code:

exports.onExecutePostLogin = async (event, api) => {
  // Check if the ACR claim array has values
  const acrClaim = event.transaction.acr_values;
  if (!acrClaim || acrClaim.length === 0) {
    // ACR claim is either not present or has no values, indicating 2FA was not completed upstream.
    console.log('ACR claim is not present or has no values, enforcing 2FA');
    // Check if the user has already enabled MFA with the "guardian" provider
    const enabledMfa = event.user.app_metadata &&;
    if (!enabledMfa) {
      console.log("MFA not enrolled. Enrolling user.");
      // Require the user to enroll in MFA using the Guardian provider.
      // Update the user's metadata to represent that they've enabled MFA with the "guardian" provider.
      await api.user.setAppMetadata({ guardian: true });
  } else {
    // ACR claim has values, indicating authentication strength was indicated.
    console.log('ACR claim has values:', acrClaim);

Problem: When debugging the code I can validate it picks up the acr value and performs the correct action but when running this against Okta as an IDP as it would during a proper authentication flow, the event.transaction returns no acr values from Okta’s authentication flow which includes 2FA. I have also tested this with Azure acting as an IDP and had the same result.

Any suggestions would be greatly appreciated.


Any suggestions from anyone? I can’t get this ACRS value to populate.

1 Like

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!