Introduction

Auth0 allows you to incorporate custom logic into authentication processes such as login and user registration. To achieve this, we will use the Actions/Rules/Hooks function. Of these, EOL (End of Life) was announced by the manufacturer for the Rules/Hooks function.

Due to EOL, custom logic using the Rules/Hooks function will need to be migrated to the Actions function. Until now, there were cases that could not be realized with the Actions function, but we are gradually working on it.

Example) Use of risk assessment score by Adaptive MFA function
Adaptive MFA Risk Ratings is Available in Actions - Auth0 Changelog (April 2023)

On this page, we will introduce how to migrate to the Actions function and how it actually works for MFA request judgment in the Adaptive MFA function.

Setting overview

Migration from the Rules function to the Actions function will be carried out in the following flow.

• Action creation for MFA request judgment
• Embed Action in Login Flow
• Disable existing rule

The following describes specific setting methods and operation confirmation examples.

Setting Example

1. Action creation for MFA request judgment

• On the Auth0 management screen, click [Actions] > [Library]

• Click [Build Custom]

• Select the Action name to be created, Action trigger, and execution environment, and click [Create].
  *This time, select Trigger:[Login/Post Login] to activate the Action when logging in.

• Write the MFA request judgment process in the code editor (JavaScript description)
  *Description example: Use NewDevice/useragent information as criteria

exports.onExecutePostLogin = async (event, api) => {
  // @ts-ignore
  console.log("NewDevice useragent :" + event.authentication.riskAssessment.assessments.NewDevice.details.useragent);
  // @ts-ignore
  if(event.authentication.riskAssessment.assessments.NewDevice.details.useragent === "unknown"){
    console.log("MFA : Require");
    api.multifactor.enable("any");
  }else{
    console.log("MFA : Skip");
  }
};

supplement

• The judgment result by the Adaptive MFA function is obtained from the event.authentication.riskAssessment object​
• Added log output (judgment result by Adaptive MFA function, MFA request judgment result) using console.log() for operation debugging purpose

• Click Deploy

• Confirm that the created Action was successfully deployed

2. Embed Action in Login Flow

• On the Auth0 admin screen, click [Actions] > [Flows]

• Select [Login] as the embedded flow

• Drag and drop the Action created in 1. and incorporate it into the flow diagram on the left side of the screen

• Click [Apply]

• Confirm that it was reflected normally

3. Disable existing rules

• On the Auth0 management screen, click [Auth Pipeline] > [Rules]

• Disable Require MFA Enrollment and Adaptive MFA

Behavior example: Attempt to log in with a different device than the last time you logged in

• Perform login operation on the web application screen linked with Auth0
  * Confirm that MFA is not required for this login operation
  
• Check the MFA request skip judgment log on the Real-time Webtask Logs screen
• Perform logout operation
• In order to determine that the login is from a new device by the Adaptive MFA function, login operation is performed with a different UserAgent web browser from the previous login.
• Make sure MFA is required at login
  
• Check the MFA request judgment log on the Real-time Webtask Logs screen
  

Summary

Using the Adaptive MFA function as an example, we introduced the migration from the Rules function to the Actions function. Even at this time, there are still some processes that cannot be handled by the Actions function. We have information from the manufacturer that it will be supported sequentially, so we would like to update the information from time to time.

If you have any questions about migrating from the Rules/Hooks function to the Actions function, please contact Macnica.