We are excited to share that our customers that use Actions - Auth0’s flagship extensibility product - can now add custom prompts or factors in their post-login flow. This enables developers and partners to confidently record the completion of a factor upon returning after a custom redirect. Auth0 delivers more tools, features, and options for developers to give them the support and capabilities they need to customize their customer’s experience through pro-code flexibility.
We have introduced a new method to the API of post-login Actions when continuing the flow after a successful custom redirect. This method allows a customer and/or partner to store the completion of that custom factor right in the user’s session. What is powerful about this is that they can then check whether that customer record is in a user session in each login and skip that prompt if it’s there already. Because it’s stored in the user session itself, it benefits from any current and future session management features within the Auth0 product offering.
What Is the Problem We Are Solving?
Historically, there was no good way for customers to use Actions to securely implement custom prompts or custom factors in a user-friendly way. They could use user metadata or application metadata, but those objects exist across all user sessions. There was also no good way for customers or partners to see whether a user on a specific device had completed the necessary factors to login. This meant forcing users to re-perform the custom prompt or factor more often than necessary.
As an example, let's say you’re a developer for a banking app that has a special requirement to use a custom multi-factor authentication service, and you want that authentication to be associated with a user's session and or device for added security. That is where the ability to add a custom prompt enables you to build that customer experience and address that need.
See It in the Real Example!
Let's take a look at a real example! Below is a sample Actions code for a Partner Integration implementing a custom authentication factor.
On the onExecutePostLogin
, we trigger the custom authentication method by using Actions Redirect to send users to the customer method URL with session token information.
const CUSTOM_METHOD_URL = "https://path.to.prompt";
const PROMPT_TTL = 1000 * 60 * 60 * 24; // 24h
exports.onExecutePostLogin = async (event, api) => {
if (
!event.authentication?.methods.some((record) => {
// Timestamps are rendered as IS08601 strings
const timestamp = new Date(record.timestamp);
return (
record.name === CUSTOM_METHOD_URL &&
timestamp.value0f() >= Date.now() - PROMPT_TTL
);
})
){
const sessionToken = api.redirect.encodeToken({
payload: {
user_id: event.user.user_id,
},
secret: event.secrets.SESSION_TOKEN_SECRET,
});
// Trigger our custom authentication method
api.redirect.sendUserTo(CUSTOM_METHOD_URL, {
query: { session token: sessionToken }
});
}
};
Continue with onContinuePostLogin
, we validate the session token secret and record the completion of our custom authentication method.
exports.onContinuePostLoqin = async (event, api) => {
const payload = api.redirect.validateToken({
secret: event.secrets. SESSION_TOKEN_SECRET,
tokenParameterName: 'session_token'
});
if (!validateSessionToken(payload)) {
return api.access.deny('Unauthorized');
}
// Record the completion of our custom authentication method.
// THIS NEW API IS ONLY AVAILABLE IN 'onContinuePostLogin'
api.authentication.recordMethod(CUSTOM_METHOD_URL);
};
function validateSessionToken(payload) {
// Custom validation logic would go here
return true;
}
Actions is an iterative platform we continually improve upon. Start creating your Auth0 Actions today and customize your logic flow with the seamless low-code integration with Auth0!