Site Search
Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

Okta

Octa

Okta CIC (Auth0) Actions feature update (August 2023)

Introduction

Okta CIC (Auth0) provides the Actions function to implement custom logic for authentication and authorization. In August 2023, the following three feature updates were made.

  • SAML response customization for logged-in users
  • Scope customization in access tokens
  • Expanding available user information

This page introduces the update contents and specific setting examples.

premise

The information regarding functions and settings described on this page is current as of August 2023. For an overview of the Actions function and the basic setting method, please see Token customization using Auth0 Actions function.

Feature update overview

The updated features are as follows.

  • SAML response customization for logged-in users
    The ability to customize SAML responses regarding logged-in users has been added as an API Object for Login Flow. You can add any attributes to the SAML response, specify the NameID format, customize the SAML token expiration date, etc. For the added API Object (api.samlResponse), please check Actions Triggers: post-login - API Object - Auth0 docs.
    Please note that there are limitations to SAML response customization using the Actions function. For more information, please see Actions Limitations - Auth0 docs.
  • Scope customization in access tokens
    A function to add and delete scopes in access tokens has been added as an API Object for Login Flow. Scopes can be added or deleted depending on the request source information, etc.
    The added API Object will be api.accessToken.addScope/api.accessToken.removeScope. For more information, see Actions Triggers: post-login - API Object - Auth0 docs.
  • Expanding available user information
    For more information on the user information available within Actions, see Actions Triggers: post-login - Event Object - Auth0 docs (for Login Flow).

Setting and operation example

We will introduce the setting and operation example using this update function.

Setting example ①: Customizing SAML attributes

In SAML authentication using Auth0 (Splunk Cloud), we introduced customizing SAML responses using the Rules function. This time, we will implement similar processing using the Actions function.

  • On the Auth0 management screen, click [Actions] > [Library]
  • Click [Build Custom]
  • Select the name of the action to be created, the trigger of the action, and the execution environment, and click [Create].
Select the name of the action to be created, the trigger of the action, and the execution environment, and click [Create].
4. Write the logic to be realized in the code editor (JavaScript description)

*Only the minimum necessary processing is listed.

exports.onExecutePostLogin = async (event, api) => {
	if (event.authorization) {
		api.samlResponse.setAttribute('http://schemas.auth0.com/rolez', event.authorization.roles)
	}
};
5. Click [Deploy] and confirm that it was saved successfully.
[Deploy]をクリックし、正常に保存されたことを確認
6. On the Auth0 management screen, click [Actions] > [Flows]
7. Select [Login] as the Flow to incorporate the created Action
8. Drag and drop the target action from the list of actions displayed on the Custom tab on the right side of the screen and place it on the flow diagram on the left side of the screen.
画面右側のCustomタブに表示されるActionの一覧から、対象Actionをドラッグ&ドロップし、画面左側のフロー図に配置
9. Click [Apply] and confirm that it has been reflected correctly.
[Apply]をクリックし、正常に反映されたことを確認

Operation example ①: Customizing SAML attributes

1. Start acquiring the HAR file using the functions on the web browser
2. Perform SAML login operation on Splunk Cloud and confirm that you can log in successfully.
3. Obtain and decode the SAML response from Okta CIC from the HAR file obtained on the web browser.
4. Check that the attributes and values specified in the Action are added in the SAML response.
(Omitted) <saml:Attribute Name=" http://schemas.auth0.com/rolez" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi: type="xs:string"> admin </saml:AttributeValue> </saml:Attribute> (omitted)

Setting example ②: Scope customization in access token

This time, we will add scope to the access token according to the country information of the access source and the conditions of the requested resource.
Similar to setting example ①, create a new Action and incorporate the created Action into the Login Flow.

  • Write the logic to be realized in the code editor (JavaScript description)

*Only the minimum necessary processing is listed.

exports.onExecutePostLogin = async (event, api) => {
	if (event.request.geoip.countryCode === 'JP' && event.request.query.audience === 'https://example.com') {
		api.accessToken.addScope("read:jp");
	}
};

Operation example ②: Scope customization in access token

Use Authorization Code Flow to check the token customization process using the created Action. Please check the Authorization Code Flow (Access Token & ID Token) in Auth0 for the required settings.

1. Request an authorization code from the Auth0/ authorize endpoint (access the URL below with a web browser)
https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/authorize?audience=https://example.com&response_type=code&scope=openid profile email&client_id=Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq&redirect_uri=https://example.com
2. Authentication screen display by Auth0: Perform user authentication
3. Transition to the redirect destination specified in 1.: Check the authorization code from the URL
1.で指定したリダイレクト先へ遷移:URLから認可コードを確認
> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq&client_secret=quS8KFlWCT7UUtOdHvzIMKaip72Ut2dy0KgQproakBP9hXh4_yxixB1d5u_L4MKN&code=LfsgBMfG4Gs_TxysEr_6yXREFb2W10a0UrL9VIwEzZpjz&redirect_uri=https://example.com'
4. Access Auth0 /oauth/token endpoint and obtain access token
> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq&client_secret=quS8KFlWCT7UUtOdHvzIMKaip72Ut2dy0KgQproakBP9hXh4_yxixB1d5u_L4MKN&code=LfsgBMfG4Gs_TxysEr_6yXREFb2W10a0UrL9VIwEzZpjz&redirect_uri=https://example.com'

Acquisition result (confirm scope addition)

{
	"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...uddoylYsMiU_cxfgUXQ",
	"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...(略)...reTo69XG_wKEv3otwug",
	"scope":"openid profile email read:jp",
	"expires_in":86400,
	"token_type":"Bearer“
}
5. Check the obtained access token *Decode the access token with jwt.io
Access token decoding result (confirm scope addition)
{
	"iss": "https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/",
	"sub": "auth0|642637dc3d0fd8dd93fedd90",
	"aud": [
		"https://example.com",
		"https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/userinfo"
	],
	"iat": 1694236566,
	"exp": 1694322966,
	"azp": "Bb9P6WoNhg0XIBnpSNLxd284ChfCxUIq",
	"scope": "openid profile email read:jp"
}

in conclusion

This time, we introduced updates to the Actions feature. There has been an EOL (End of Life) announcement regarding the Rules/Hooks function, so it is expected that more processing that can be realized with the Actions function will be added in the future.

We will continue to update the information as updates are implemented.

reference

Inquiry/Document request

In charge of Macnica Okta Co., Ltd.

inquiry Document request

Weekdays: 9:00-17:00