Auth0 Community Ask Me Anything: Rules & Hooks and why Actions matter!

Screenshot 2024-01-03 at 12.12.271238×692 48.9 KB

The Auth0 Community is excited to invite you to our next interactive online Ask Me Anything (AMA) session on Thursday, January 18, 2024, featuring our DX-Extensibility Team that stands behind Rules, Hooks and Actions.

Have problems migrating from Rules & Hooks to Actions? Want to know more context around the deprecation? Looking for information on best practices, helpers and how to utilize Actions most effectively? No matter what kind of Actions, Rules or Hooks question you might have, we’ve got you covered! @oliver.wang, one of our product managers will answer all your burning questions related to Rules & Hooks and share more why Actions matter!

How will the AMA session work?

From today, January 3 to Wednesday, January 17, 2024, you can ask your questions by replying to this community topic using the ‘Reply’ Button. Then, mark your calendars for Thursday, January 18, between 7 a.m. and 9 a.m. PT, when our product experts from the Auth0 DX-Extensibility team will provide you with comprehensive written answers to your questions about Actions, Rules & Hooks. As a bonus, your participation will earn you points and a special badge!

What will you gain from participating?

• How Actions can supercharge your customization
• Information and help around migrating from Rules & Hooks to Actions
• Learn more about Actions, Rules and Hooks deprecation
• Best practice in using Actions
• Find out information about parity gaps between each of the tools being addressed by our team
• And many more!

Ask Questions here by hitting the reply button! Be sure to submit your questions from today, January 3 to Wednesday, January 17, 2024.

Featured Expert

Screenshot 2024-01-03 at 12.15.52962×976 40.5 KB

Oliver Wang is a Product Manager in the Developer Experience organization, where he is working with our Extensibility team responsible for Actions, Rules and Hooks among others.

This is part of a bi-monthly interactive online AMA series that invites the Auth0 Community to engage with various Okta subject matter experts.

I still don’t understand how I could access the groups coming from Azure AD.
The blogpost says :

This means you can make more use of standard properties such as user.roles , user.groups , and user.permissions to understand customer profiles and protect user interests better.

But the documentation page does not mention these new root properties at all.

We have the same question. We need to be able to map employee roles that are set in Azure AD (Entra ID now I guess) to roles inside our application.

As of today, we have not found a documented way to get the “appRoles” attribute from Azure AD with Actions. However, we are able to do it with Rules by calling the Microsoft Graph API at https://graph.microsoft.com/beta/servicePrincipals/{resourceId}. This is not possible with Rules because it doesn’t give us access to the original Azure AD access token.

As an alternative, we would be fine with getting the AD groups with the Azure AD “groups” attribute that is passed in with the token. We just either need that attribute passed in, or access to the original Azure AD token.

I’ve been checking back for months but still, no updates. We will migrate off of Auth0 if this capability is not available.

Hi Auth0

We want to remove the nickname and picture claim from the id token after a user authenticates successfully

I successfully created a rule based on the Remove attributes from user template:

function removeUserAttribute(user, context, callback) {
const blacklist = [‘nickname’,‘picture’];

Object.keys(user).forEach(function (key) {
if (blacklist.indexOf(key) > -1) {
delete user[key];
}
});

callback(null, user, context);
}

I migrated the code, by following the Auth0 documentation, to a Login Flow action script:

exports.onExecutePostLogin = async (event, api) => {
const blacklist = [‘nickname’,‘picture’];

Object.keys(event.user).forEach(function (key) {
if (blacklist.indexOf(key) > -1) {
delete event.user[key];
}
});

return;

};

The rule works fine, but the action script is not deleting the blacklisted keys.

When will this functionality be available via an action script?

Hi Auth0 Team !

We need an Example using “Actions” to securely link accounts (that works).

We have a SPA page that uses the New Universal Login for logins/signups, users can sign in either with an email/password or with social connections (Google, Github), and we are trying to implement the process of linking accounts at signup.

The documentation, examples and extensions provided by Auth0 don’t work:

• The page Link User Accounts > Account linking with Actions has an example using Actions, but the example doesn’t work, first it doesn’t mention that you need to add the “auth0” dependency imported there in the code (OK, no big deal), but then it uses a function called getManagementApiToken which is not imported or defined anywhere, so execution errors again, and reading the code I’m pretty sure that even if I write the function myself I’ll get new errors anyway, because there are other references in the code that I’m pretty sure don’t exist, like some constants.
• There are other examples in the documentation, but are based on Rules, and they don’t work either (I’ve explained a little bit the problems found here).

It would also be helpful to have a working demo with a basic front end and back end in a git repository, rather than just snippets of code around.

I know you have Actions Marketplace but do Auth0 have any plans for also having a kind of open-source version of that marketplace so that the community around Actions can be more involved?

From the technical perspective, what will exactly happen to Auth0 users that have Rules and Hooks in their pipeline once Rules and Hooks reach end of life?

Any news or announcements around what changes, improvements we can expect from Actions in the near future?

I haven’t checked now, but the reason we couldn’t migrate from rules to actions was because we had a few special cases where we have to set the scopes manually (reduce the number of consented scopes).

Is it possible to set scopes manually or override them now?

As Auth0 is getting closer to the full deprecation of Rules and Hooks, we can see new docs being rolled out and YouTube videos helping us migrate to Actions. Do you plan to also release more FAQs on that topic?

In the post login action, is it possible to make authenticated calls to a secured backend service? we are currently facing a use case in which we want a user to answer security questions that are generated by our backend before they log in and gain access to the main application. we are able to pass information to the middle UI with a session token using the function provided by auth0: api.redirect.encodeToken({}). the issue with this, is that the token is signed in hs256 which is not accepted by our backend. is there a way to accomplish this use case ? maybe there is a way to access the user token in the redirected middle UI and then assign the roles onContinuePostLoginAction? synopsis of use case: require authenticated users to answer custom generated security questions before authorizing them to use our app, ideally leveraging redirect in actions

Hello - Will this break existing Auth0 extensions that use rules .- e.g. Account Linking?

What will be (afaik it’s not yet possible) the way to link user accounts? e.g. when user registered via email/password and later on signs-up/logs in via oidc or oauth2 with same email (& vice versa).

If there’s a solution for this already using actions please provide a full working example.

It would be nice to have the possibility to set to false the user.verify_email attribute in a pre-registration action in order to prevent the automatic send of the verification email.

Today the attributes verify_email and email_verified are not available in the pre-registration event object.

Use case is sending verification email only after specific business conditions (checked in post-login actions).

See also Do not send email verification in select cases

The suggested workaround is to disable the email templates, precluding us the possibility to use the API /api/v2/jobs/verification-email.

The pre-registration action is very limited compared to the post-login action.

For example it does not support redirect to an external page to collect additional user data e perform business oriented checks.

Use case: we want to limit the registration to a specific set of users (like they have to be doctors). In this case, we can ask their professional ID and check its validity BEFORE let them to create a new account.

The suggested workaround is to implement additional data collection and custom checks using post-login actions and external pages. If the checks fail, the user login is blocked. This solution creates unwanted accounts and it has side effects like user is blocked because it is not doctor but they receive the welcome and the verification emails. (see my previous reply).

in testing i have found that the post user registration action does not run on passwordless signups. will this be supported?

Hey Mariano,

I’m looking at a similar issue as well and agree regarding the need for examples.

With regards to your issues with getManagementApiToken etc, i was able to get past this by storing domain\clientid\clientsecret as secrets, and creating the ManagementApiClient with these.

I found it easiest to develop locally in node, but you need to fake out relevant values from the api\event parameters.

I’m also encountering a similar issue. I was able to successfully link the accounts using the same approach as Nick however after linking I was unable to switch the user account.

According to this (possibly outdated) post linking in actions will be supported in Q3

There still seems to be a bit of a parity gap between Actions when compared to Rules/Hooks - Can you tell us more about this? What is the current state of this and can we expect complete parity eventually?