August 27 Auth0 Community Ask Me Anything: Actions

Community News Community AMA Series
23

There have been discussions about either considering support for Pre User Registration / Post User Registration for Social / Enterprise connections, or having a different Trigger type specific for those.

But there isn’t an imminent plan to deliver this functionality.

Would you mind posting your specific use case? Which could serve as evidence for future ideating

1 Like
24

There are plans to make it Cross-Trigger in the future, which would increase the coverage over other Triggers and Actions types.

Could you help us by posting your specific use case? It will be a source for future ideating

1 Like
25

Currently, there is no way to control the passkey progressive enrollment from Extensibility like Actions or Custom Database Scripts.

Would you mind explaining your use case? Which would be helpful for our Product Team to ideate.

1 Like
26

Actions Cache is expected to be used to share information that is relevant to all Actions unrelated to the user or the specific transaction, such information would be expected to be reused several times on multiple executions.

For example, an Access Token obtained on behalf of the Actions to authorize the interaction of those Actions with an external service.

Actions Transaction Metadata is expected to be used to share information between Actions on the same execution and transaction, which is implicitly related to the same user.

For example, an Access Token obtained on behalf of the user to authorize the interaction of the executing Actions with an external service on behalf of that user, which will be cleared after the current transaction is finished.

Both the cache and transaction metadata can help improve the performance by not having to retrieve or calculate the same data when present in the storage, but the scope of access and meaning of the information is different between them.

The cache as the transaction metadata currently, is not accesible cross-trigger.

The cache has scenarios where values set may not be available, like after continuation of MFA challenge, redirects, and forms rendering, which also depend on how the infrastructure scales below the hood.

Useful Docs:

1 Like
27

For performance and reliability of each Action it is important to:

  • Cache when possible to reduce the dependency on external services or extra processing.

  • Handling errors and using timeouts properly.

  • Reducing the complexity of the code minimum is always a plus.

  • Finishing the Actions early when conditions match.

  • Additionally, there are some patterns that can be applied, like:

    • Declaring moving the dependency require statements outside of the main function.
    const libraryM = require('libraryM');

exports.onExecutePostLogin = async (event, api) => {
  libraryM.doSomething();
};
    • Defining sub functions outside of the main function and then reusing them which is better coding and improves Unit Testing.
    const subFunction = (paramt1, param2) => {
  // code
};

exports.onExecutePostLogin = async (event, api) => {
  subFunction(event.user.user_id, event.transaction?.metadata?.key);
};
    • Declaring constants and variables outside of the main function.
    const CONSTANT_N = 'constant_value';
let variableM = 'variable_initial_value';

exports.onExecutePostLogin = async (event, api) => {
  console.log(CONSTANT_N, variableM);
};
    • In the case of Objects that need to be instantiated implementing a Singleton pattern to initialize them within a function called from the main function and being able to send parameters from event object.
    const LibraryM = require('libraryM');

let variableM;

const getVariableM = (api_key) => {
  if (variableM === undefined) {
    variableM = new LibraryM(api_key);
  }
  return variableM;
};

exports.onExecutePostLogin = async (event, api) => {
  const vM = getVariableM(event.secrets.API_KEY);
  vM.doSomething();
};

For large numbers of Actions across different Tenants, it’s important to:

  • Use CI/CD to deploy configurations of each tenant reducing the manual steps.
  • Terraform and Auth0 Deploy CLI are good tools for that purpose.
  • Those can be combined with repositories and Unit Testing to improve both maintenance, code versioning, and reliability over deployed Actions at each Auth0 Tenant.

Useful Docs:

Sample codes are not production ready, they are just looking forward to clarifying a concept.

28

I will follow up on these questions with more time to be able to answer them.

29

Currently, Actions don’t have a way to alter the organization related journey, meaning that the api object for Post Login Actions doesn’t have an organization interface to bet able to force that organization selection. That could probably be debated as feedback for future improvement, which should also consider if Post Login is the right and specific place to provide that functionality.

The best option available is Prompt for Credentials, because it provides a way to the user to choose.

Presenting a Form would require using Management API to retrieve the organizations for the user to be able to list them so he can choose. That can create problems with Rate Limits and potential failure on the journey to authenticate the user at the point where the API is invoked.

Redirecting to an external site would have similar issues regarding Management API.

Both would need to redirect eventually to /authorize again with the organization ID to pre select the organization, as there isn’t a way to force it from within the Forms or Actions. This would leave the previous authentication process to timeout, which is not great, and use more times the /authorize.

If users already know they belong to an organization, maybe an alternative is to provide a different entry point for them at the application, probably a separate client only allowing organization members. A separate entry point for those that are individuals. But this is a different implementation.

Would you mind proving more specifics about your use case? I will share this with other Product Managers to see if there is an opportunity for improvement in the future.

1 Like
31

Thank you for the response!

We are considering using the built in Organizations for B2B ecommerce users on our site. So good to know that actions is not the way to go and that we might have to continue our own way of doing organizations or find another way of getting around this in our application.

To give some more details of our problem:
We have users that are only using other services and don’t use our ecommerce functionality. This means these other users might not yet have a connection to our current own equivalent of Auth0s organizations, with users connected to a customer number matching customers in our ERP system, and therefor need to login using a personal account.

The issue in Auth0 lies in that the “Prompt for Credentials” Login Experience for both personal and organizational logins on the same client, allows users that have an organization affiliation to choose logging in as a personal account. If the users does this the would not get access to our sites ecommerce functionality.

So to not confuse our users into accidentally choosing to login as a personal account, and then us getting complaints of users not being able to use ecommerce functionality, we want to be able to avoid giving the user the option of choosing to login via a personal account, if they are actually part of an organization.

Please do forward this to you colleagues. Maybe this could be an improvement in the “Prompt for Credentials” Login Experience for clients. To add a version of the login prompt that only allows non-organization affiliated users the option of personal login, while then allowing org affiliated users to login only via an organization and being able to choose which one if they have many.

And again thanks for the response!

33

Thanks for the additional details @Bjojoh , I have given some feedback based on what was described for future ideating.

34
  1. Passing data between Actions & redirects
  • How does Transaction Metadata behave across the whole login transaction? Any size limits or gotchas (especially with Redirect Actions)?

When a key/value pair is set in an Action using api.transaction.setMetadata(key, value), it becomes available immediately after in the same and subsequent Actions using event.transaction.metadata.key to access it.

When Redirects and Forms render continue the Action execution the transaction metadata is still available on current and subsequent Actions.

Examples:

Size limits can be found in the following documentation:

We didn’t want to deliver a feature that just emulates what Rules provided for the parity gap sake, we wanted to deliver something that was more aligned with the current and future extensibility capabilities. Once that definition was clear, the feature was prioritized and delivered.

When we deliver Cross-trigger coverage, then it will become an even more powerful tool to enable creative solutions that will improve overall performance on those solutions if the Transaction Metadata is used wisely.

For example being able to define or retrieve information in a Custom Token Exchange Action, and then being able to reuse the value in Pre User Registration and/or Post Login Actions without having to retrieve the values again or use the user profile metadata as a bridge.

35
  1. Developer experience: Action Types, shared code & contracts
  • What exactly are Action Types and how do they improve DX?

Soon, we will be publishing an NPM library with the Actions TypeScript definitions, which can improve the developer experience when developing Actions on external IDE/Code editors and enables developers to follow better practices when coding and implementing Unit Tests.

  • Are Actions Modules on the roadmap for sharing reusable utility code across multiple actions?

Yes, we are working on it in the second half of the year.

  • Will you publish official TypeScript types/schemas for the event/API objects (and versioning guarantees) so we can code against a stable contract? It can be difficult to code against action events with so many fields marked as optional without clear explanations of when they are present.

Yes, Actions Types (A.K.A. Actions NPM) will provide part of that, now the optional clarity may not be there, that depends on the context of the execution which is abstracted from the types, for that we are discussing documentation improvements, which may also affect the Actions Types as a way to communicate those details.

36
  1. Observability & testing
  • Any plans to surface the Action Test Runner metrics in tenant logs (e.g., total_request_duration_ms, action_duration_ms, external_call_duration_ms, boot_duration_ms)? Super helpful for prod troubleshooting. I know a smaller subset is available in the web console logs but they do not get exported in log streams.

There are no imminent plans, the closest we have discussed is what I mentioned in a previous question: https://community.auth0.com/t/august-27-auth0-community-ask-me-anything-actions/190450/21?u=danilo.asissanchez

By Action Test Runner, do you mean the Test insider the Action Editor?

As mentioned there, please provide some feedback about your particular use case which can be used as evidence in the future.

  • Could you provide richer testing templates (login, signup, redirect flows, MFA) and a local runner that mirrors production as closely as possible? Without a well-defined event type/schema it relies on us either making assumptions of what the event will be or console logging the event in various scenarios and creating our own from that. Or implementing extensive e2e test coverage.

I think this is related to a previous question you asked about Actions Types and optional properties. Note taken for a potential improvement in the future adding a set of testing templates based on use case with event object definitions narrowed to the particular test case.

  • Are there any plans to add risk signals like risk assessment to refresh tokens?

Although there not a defined plan on adding the risk signals for refresh token exchange, we are doing some ideating about it and your feedback could be useful, if could post the specific use case details we would appreciate it!

37
  1. Timeouts & custom errors
  • What’s your recommended pattern to fail gracefully before timeouts (e.g., early api.access.deny)?

It will depend on your implementation, if the operation you are trying to achieve is necessary for the authentication outcome and your application working correctly and securely, then you should use either api.access.deny or api.sessions.revoke, depending on the expected result after the failure.

In some other cases, the operation may not be required for the application to work properly or for securing the login, then in those cases you may be able to just catch the timeout error and continue the Actions execution.

Either case you should set a timeout and handle the error.

  • Is there any chance of an “on-timeout” hook or similar so it can be handled more gracefully than action timeout errors returned to the user?

There hasn’t been any discussions about it, what is your specific use case? Having in mind that certain Triggers/Actions are executed synchronously and others asynchronously.

  • Can we return custom error responses using api.access.deny from Actions instead of defaulting to opaque 500s with custom messages? Previously this was not possible, and we had to implement workarounds. Denying access is not really a 500 internal server error response?

This is in our Rules/Actions parity gap list, we haven’t yet defined how we will solve it, but we are planning to solve it H1 next year. It may not be 1-to-1 with Rules as it will depend on what is best for the Actions architecture and future of Extensibility and other features depending on Extensibility.

38
  1. Fresh sign-in vs. silent reauth
  • Inside post-login, what’s the reliable way to detect interactive login (entered OTP/password etc) vs session reuse / prompt=none?

TBD

  • Which event fields should we key off (e.g., event.transaction, event.authentication.methods, session age)? One we’ve experimented with is presence of verification code in query params for passwordless logins, but it would be good to have a more reliable method.

TBD

39
  1. MFA & step-up (especially on mobile)
  • What’s the best way for an Action to know the user just completed/enrolled in MFA? and the details of that when triggered through actions. This is useful information to know from a security context.

TBD

  • Are there any plans to implement more MFA specific actions?

TBD

  • For native apps that rely on refresh tokens, what’s your recommended approach to step-up MFA for sensitive actions (since redirects are not possible with refresh tokens)? Any planned improvements here?

TBD

  • Is there a way to know whether the original session/RT was MFA-authenticated, or plans to expose a durable signal/claim so we can enforce re-MFA based on risk or time? This seems to get lost for refresh tokens?

TBD

40
  1. Enterprise / federated SSO
  • Are there plans to let Actions (or similar hooks) run during enterprise SAML/OIDC federation to map/transform attributes before user creation/update—and to give us more visibility into those flows. I know Actions run after the SSO happens but I’m curious about specifically when it’s happening.

Similar post: https://community.auth0.com/t/august-27-auth0-community-ask-me-anything-actions/190450/9?u=danilo.asissanchez

What’s your use case?

41
  1. Device identification
  • Do you plan to offer a built-in device identifier or first-party fingerprinting guidance that we can safely use in Actions (versus rolling our own or relying on third parties)

There are two Fingerprint integrations at Auth0 Marketplace:

There is opportunity for something out of the box, but there isn’t anything planned. If you could provide feedback that would be helpful in the future.

42
  1. How granular should Actions be?
  • Any performance/maintainability guidance on many small Actions vs. a few larger ones? Where’s the sweet spot?

The sweet spot may vary for each implementation, I think it’s important to have in mind:

  • The 20 Actions per Trigger limit, because if the model is early defined to separate by some criteria, then later in the implementation process that model may result in more than 20 Actions per Trigger to preserve consistency or a remodel when the limit is reached.

  • Separating is good, but have in mind that load the Actions and dependencies may take a minimum time which may create more latency when splitting in too many Actions.

  • Longer code could also impact the loading process, same as unnecessary Secrets and Dependencies.

The sweet spot is about balance for each implementation.

43

Anything exciting you’re able to share about the future direction of Actions or new features in the works?

Actions Transaction Metadata is an important feature, going Cross-Trigger will allow new use cases that were not possible before these features.

Actions Modules will improve the overall developer experience and at the same time help on performance and maintenance. It will also expand the usage Actions Types NPM library as additional tooling.