Hi,
I am looking for the way to access password submitted by the end user via Auth0 driven signup or reset password form inside Actions (pre/post) triggers workflow with the purpose to integrate breach password validation via Third Party integration rather than Auth0’s paid Credential Guard service.
Is it feasible?
Right now I am dealing with the issue where password is not accessible in the trigger I am writing to validate via third party API inside Actions.
const password = event.request.body?.password; // Getting this value as Undefined
HI @ankit.joshi
Welcome to the Auth0 Community!
No, it is not feasible to access plain-text passwords within Auth0 Actions.
The fact that event.request.body?.password is returning undefined is not a bug; it is an intentional, hardcoded security limitation of the Auth0 Actions architecture. To perform third-party password validation, you will need to intercept the password before it reaches Auth0 using a custom UI and backend.
One of the foundational rules of this architecture is that plain-text credentials must never be exposed to custom code execution environments.
- If Auth0 exposed the
password property in the event object, any developer could accidentally write a console.log(password) statement, instantly leaking sensitive credentials into logging streams.
- It would also expose users to severe supply-chain attacks if a malicious NPM package were imported into an Action and designed to siphon off the
event.request.body.password .
Because of this zero-trust approach to credential handling, Auth0’s core engine completely strips or hashes the password payload before the Pre-User Registration or Post-Login Actions are invoked.
Since you cannot access the password inside Auth0 Actions, you cannot trigger your third-party breach validation from within the Auth0-hosted pipeline. To achieve your goal without using Auth0’s native Credential Guard, you must change your architectural approach:
SOLUTION:
You must completely bypass the Auth0-hosted Universal Login page for signups and password resets, and handle the raw credentials on your own secure backend.
- Build a Custom Signup/Reset UI: Host the forms on your own application.
- Intercept and Validate: When the user submits the form, your backend receives the raw password. Your backend performs the API call to your third-party breach validation service.
- Pass to Auth0: If the third-party service gives the green light, your backend then securely transmits the user’s details (including the password) to Auth0 using the Auth0 Authentication API (specifically the
POST /dbconnections/signup and POST /dbconnections/change_password endpoints).
- Handle Rejection: If the password is breached, your backend rejects the request and prompts the user to choose another password, never touching Auth0.
If I can help you out with anything else, let me know!
Kind Regards,
Nik