I wanted to show the policy statement that comes from our application when a user logins in using Auth0 aking for consent. How do i acheive it.
The user has accepted and the consent is stored. I also want to show this again when ever there is a change in policy. How can i achieve this using auth0
At least one possible options would be to use redirect rules (Redirect Users from Within Rules). This would also allow to trigger the redirect conditionally based on if the user already consented and to which version they consented by storing such information/flags in the user profile (app_metadata) which is available in the context of rules.
Is there a sample example where i can use to display the custom privacy policy to the users and retrigger the consent again?
The only thing I’m aware would be this (https://auth0.com/docs/compliance/gdpr/gdpr-track-consent-with-custom-ui#option-4-redirect-to-another-page).
Is there any example that i can use from github? The example that was given as part of the above link : rules/redirect-rules/simple at master · auth0/rules · GitHub looks old and may not work?
Also is it possible to create application specific rules?
And when i redirect to continue url, its saying unauthorized error
You can create an application specific rule by adding a condition that effectively forces the logic within to only execute for a specific client application. In particular, the rules context will have the client identifier for which the rules are being executed so you can do the condition based on that value and the identifier of the application you want to target.
In relation to the error, you should confirm you’re calling continue with the same state value you received in the URL that was the target of the redirect. At first glance that state value does not seem correct.
Could you please let me know on how to retrieve that state value ?
If you configure a redirect rule to point to the following target URL:
context.redirect = {
url: "https://example.com/foo"
};
when the redirect (rule) is triggered an HTTP request to https://example.com/foo will be performed and as part of that request a state query string parameter will be included. In the server you have handling that request URL you should parse the query string and retrieve the value of the state parameter. It’s that value that you then need to use.
Thanks João, will try implementing and get back to u
Hi ,
Its also mentioned below about the redirect rules:
Our sample rule and webtask make one security compromise for the sake of convenience: the rule passes the Auth0 domain (i.e. your-tenant.auth0.com ) to the form website and the form uses that to construct a callback URL (i.e. https://your-tenant.auth0.com/continue ) for returning back to the rule. This is essentially an open redirect and should not be used in production scenarios.
You can lock this down by configuring your form website implementation to only return to a specific URL (i.e. just your Auth0 tenant) instead of one that’s generated from a query param. You can then simplify the rule too so it no longer passes the Auth0 domain.
what does the bolded paragraph above mean?
That is something very specific to that sample due to the fact that the target of the redirect URL received the domain to which it should response. This complicates things so unless you have a scenario where the URL you use for the redirect rule can be triggered from multiple Auth0 tenants you can just hardcode the logic in your server to always redirect to an hardocoded /continue URL associated to a specific tenant.
Hi,
Could you please provide any example which explains the bolded paragraph below. So , you mean to say if there are 10 rules and we if create a application specific rule, only the application specific rule will get called which will prevent rest of 9 rule executions. ?
I mean to ask like in the internal execution of auth0 will this behave like switch logic or if else based logic. ?
You can create an application specific rule by adding a condition that effectively forces the logic within to only execute for a specific client application. In particular, the rules context will have the client identifier for which the rules are being executed so you can do the condition based on that value and the identifier of the application you want to target.
What will be the performance if there are 1000 rules and only 1 rule gets completely executed and how much it takes to complete the overall rules execution.
and what will be the performance when there are 2000 logins happening per second with the above case?
ALso , if i wanted to pass certain info when calling back rule using continue endpoint , how to achieve this?
Every rule that is enabled is executed, however, if the first thing the rules does is check if the client ID in the context is an hardcode one and if it’s NOT just call the callback without executing any other login in the rule the effect will be similar to a rule only applying to a single client application. Also the performance of an if condition that is a string comparison should be negligible as well it would likely be the performance of 1000 if conditions for a string comparison (of a client ID).
If you get to 2000 logins per second I would be inclined to say that if conditions in rules would not be the bottleneck.
Thanks for the details. Is there performance bottle neck if there is call back again back to auth0 by hitting the continue endpoint for the same usecase that i mentioned above?
Hi jmangelo,
Thanks for all the help that was provided till now. Appreciate it
I have one query , could you please let us know how to send the context object to the application from auth0 rule during redirection and send it back to the rule in auth0 again?
Thanks
Vamsi
This example for a redirect rule although for a different situation shows how data can be passed through a token which the target can validate in order to trust the information (Redirect Users from Within Rules). In relation to sending back data again you can use the same token approach in opposite order with the rule being the one that validates the token.
Hi @jmangelo
If i want to use a custom MFA and own consent to be shown , i would be having 2 rules created each having its own redirect. As per the documentation , it was mentioned that thee can be only redirect that can happen as part of rule pipeline. So how to achieve this case?
Thanks
Vamsi