auth0 · johneke-auth0 · Jan 26, 2024 · Jan 26, 2024
@@ -0,0 +1,36 @@
+/**
+ * Handler that will be called during the execution of a PostLogin flow.
+ *
+ * --- AUTH0 ACTIONS TEMPLATE https://github.com/auth0/os-marketplace/blob/main/templates/active-directory-groups-POST_LOGIN ---
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+exports.onExecutePostLogin = async (event, api) => {
+    // ensure that the allowed group is configured
+    const groupAllowed = event.secrets.ALLOWED_GROUP;
+    if (!groupAllowed) {
+        return api.access.deny('Invalid configuration');
+    }
+
+    // get the users groups
+    let groups = event.user.groups || [];
+    if (!Array.isArray(groups)) {
+        groups = [groups];
+    }
+
+    // if the allowed group is not one of the users, deny access
+    if (!groups.includes(groupAllowed)) {
+        return api.access.deny('Access denied');
+    }
+};
+
+/**
+ * Handler that will be invoked when this action is resuming after an external redirect. If your
+ * onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+// exports.onContinuePostLogin = async (event, api) => {
+// };
@@ -0,0 +1,15 @@
+id: 'fd8e30ba-02e2-4648-8d89-78bc10425ab4'
+name: 'Check if a user belongs to an active directory group.'
+description: 'Check if a user belongs to an AD group and if not, deny access.'
+public: true
+triggers:
+    - 'POST_LOGIN'
+runtime: 'node18'
+modules: []
+sourceUrl: 'https://github.com/auth0/os-marketplace/blob/main/templates/active-directory-groups-POST_LOGIN'
+notes: |
+    **Secrets**
+
+    * `ALLOWED_GROUP` - the name of the allowed group.
+useCases:
+    - 'ACCESS_CONTROL'
@@ -0,0 +1,40 @@
+/**
+ * Handler that will be called during the execution of a PostLogin flow.
+ *
+ * --- AUTH0 ACTIONS TEMPLATE https://github.com/auth0/os-marketplace/blob/main/templates/adaptive-mfa-POST_LOGIN ---
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+exports.onExecutePostLogin = async (event, api) => {
+    // Decide which confidence scores should trigger MFA, for more information refer to
+    // https://auth0.com/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa#confidence-scores
+    const promptConfidences = ['low', 'medium'];
+
+    // Example condition: prompt MFA only based on the NewDevice
+    // confidence level, this will prompt for MFA when a user is logging in
+    // from an unknown device.
+    const confidence =
+        event.authentication?.riskAssessment?.assessments?.NewDevice
+            ?.confidence;
+    const shouldPromptMfa =
+        confidence && promptConfidences.includes(confidence);
+
+    // It only makes sense to prompt for MFA when the user has at least one
+    // enrolled MFA factor.
+    const canPromptMfa =
+        event.user.multifactor && event.user.multifactor.length > 0;
+    if (shouldPromptMfa && canPromptMfa) {
+        api.multifactor.enable('any', { allowRememberBrowser: true });
+    }
+};
+
+/**
+ * Handler that will be invoked when this action is resuming after an external redirect. If your
+ * onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+// exports.onContinuePostLogin = async (event, api) => {
+// };
@@ -0,0 +1,10 @@
+id: 'd2a3e1d7-e2ef-4681-8192-cdcac078b7df'
+name: 'Trigger multi-factor authentication when a condition is met'
+public: true
+description: 'A POST_LOGIN action to trigger multifactor authentication based on risk assessment and if the user is enrolled in at least one factor.'
+triggers: ['POST_LOGIN']
+runtime: 'node18'
+modules: []
+sourceUrl: 'https://github.com/auth0/os-marketplace/blob/main/templates/adaptive-mfa-POST_LOGIN'
+useCases:
+    - 'MULTIFACTOR'
@@ -0,0 +1,34 @@
+/**
+ * Handler that will be called during the execution of a PostLogin flow.
+ *
+ * --- AUTH0 ACTIONS TEMPLATE https://github.com/auth0/os-marketplace/blob/main/templates/add-attribute-POST_LOGIN ---
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+exports.onExecutePostLogin = async (event, api) => {
+    // ensure the connection secret is valid
+    if (!event.secrets.CONNECTION_NAME) {
+        return api.access.deny('Invalid configuration');
+    }
+
+    // ensure the claim name secret is valid
+    if (!event.secrets.CLAIM_NAME) {
+        return api.access.deny('Invalid configuration');
+    }
+
+    // add an additional claim conditionally
+    if (event.connection.name === event.secrets.CONNECTION_NAME) {
+        api.idToken.setCustomClaim(event.secrets.CLAIM_NAME, true);
+    }
+};
+
+/**
+ * Handler that will be invoked when this action is resuming after an external redirect. If your
+ * onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+// exports.onContinuePostLogin = async (event, api) => {
+// };
@@ -0,0 +1,15 @@
+id: '06975b69-6433-4918-98a1-3779f084b21d'
+name: 'Add an attribute to the user'
+description: 'Add an attribute to the user only for the login transaction. This is useful for cases where you want to enrich the user information for a specific application.'
+public: true
+triggers: ['POST_LOGIN']
+runtime: 'node18'
+modules: []
+sourceUrl: 'https://github.com/auth0/os-marketplace/blob/main/templates/add-attribute-POST_LOGIN'
+useCases:
+    - 'ENRICH_PROFILE'
+notes: |
+    **Secrets**
+
+    * `CONNECTION_NAME` - the name of the connection from which users will have a custom claim added. For example, `Username-Password-Authentication`.
+    * `CLAIM_NAME` - the name of the custom claim to be added.
@@ -0,0 +1,34 @@
+// --- AUTH0 ACTIONS TEMPLATE https://github.com/auth0/os-marketplace/blob/main/templates/add-country-POST_LOGIN ---
+/**
+ * Handler that will be called during the execution of a PostLogin flow.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+exports.onExecutePostLogin = async (event, api) => {
+    let namespace = event.secrets.ID_TOKEN_NAMESPACE || '';
+    if (namespace && !namespace.endsWith('/')) {
+        namespace += '/';
+    }
+
+    if (event.request.geoip) {
+        api.idToken.setCustomClaim(
+            namespace + 'country',
+            event.request.geoip.countryName
+        );
+        api.idToken.setCustomClaim(
+            namespace + 'timezone',
+            event.request.geoip.timeZone
+        );
+    }
+};
+
+/**
+ * Handler that will be invoked when this action is resuming after an external redirect. If your
+ * onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+// exports.onContinuePostLogin = async (event, api) => {
+// };
@@ -0,0 +1,15 @@
+id: 'c8d3367c-dcdb-41e1-a303-4063d2a1d124'
+name: 'Add country to User Profile'
+description: "This action template adds a `country` attribute to the user's id token based on their ip address."
+public: true
+triggers:
+    - 'POST_LOGIN'
+runtime: 'node18'
+sourceUrl: 'https://github.com/auth0/os-marketplace/blob/main/templates/add-country-POST_LOGIN'
+notes: |
+    **Optional Secrets**
+
+    * `ID_TOKEN_NAMESPACE` - An optional namespace for the custom claim
+
+useCases:
+    - 'ENRICH_PROFILE'
@@ -0,0 +1,27 @@
+// --- AUTH0 ACTIONS TEMPLATE https://github.com/auth0/os-marketplace/blob/main/templates/add-email-to-access-token-POST_LOGIN ---
+/**
+ * Handler that will be called during the execution of a PostLogin flow.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+exports.onExecutePostLogin = async (event, api) => {
+    // This action adds the authenticated user's email address to the access token.
+
+    let namespace = event.secrets.NAMESPACE || '';
+    if (namespace && !namespace.endsWith('/')) {
+        namespace += '/';
+    }
+
+    api.accessToken.setCustomClaim(namespace + 'email', event.user.email);
+};
+
+/**
+ * Handler that will be invoked when this action is resuming after an external redirect. If your
+ * onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
+ */
+// exports.onContinuePostLogin = async (event, api) => {
+// };
@@ -0,0 +1,15 @@
+id: 'f246bbc7-6676-4a30-9706-bd328e7f9ac4'
+name: 'Add Email to Access Token'
+description: 'Add the users email as one of the fields in the access token'
+public: true
+triggers:
+    - 'POST_LOGIN'
+runtime: 'node18'
+sourceUrl: 'https://github.com/auth0/os-marketplace/blob/main/templates/add-email-to-access-token-POST_LOGIN'
+notes: |
+    **Optional Secrets**
+
+    * `NAMESPACE` - optional namespace for the access token field, for example `https://acme-inc.com` would result in an access token that looks like: `{ ... "https://acme-inc.com/email": "[email protected]" ... }`
+
+useCases:
+    - 'ENRICH_PROFILE'
@@ -0,0 +1,75 @@
+const { ManagementClient } = require('auth0');
+
+const HTTP_TIMEOUT = 1000; // 1s
+
+// --- AUTH0 ACTIONS TEMPLATE https://github.com/auth0/os-marketplace/blob/main/templates/add-persistence-attribute-PASSWORD_RESET_POST_CHALLENGE ---
+/**
+ * Handler that will be called during the execution of a Password Reset / Post Challenge Flow.
+ *
+ * @param {Event} event - Details about the post challenge request.
+ * @param {PasswordResetPostChallengeAPI} api - Interface whose methods can be used to change the behavior of the post challenge flow.
+ */
+exports.onExecutePostChallenge = async (event, api) => {
+    if (!event.secrets.METADATA_KEY) {
+        return api.access.deny('missing metadata key');
+    }
+
+    const metadataKey = event.secrets.METADATA_KEY;
+
+    if (!event.secrets.METADATA_DEFAULT_VALUE) {
+        return api.access.deny('missing metadata default value');
+    }
+
+    const metadataValue = event.user.user_metadata[metadataKey];
+
+    // quit early if metadata is already set
+    if (metadataValue) {
+        return;
+    }
+
+    const metadataDefaultValue = event.secrets.METADATA_DEFAULT_VALUE;
+
+    if (!event.secrets.CLIENT_ID) {
+        return api.access.deny('missing client id');
+    }
+
+    const clientId = event.secrets.CLIENT_ID;
+
+    if (!event.secrets.CLIENT_SECRET) {
+        return api.access.deny('missing client secret');
+    }
+
+    const clientSecret = event.secrets.CLIENT_SECRET;
+
+    if (!event.secrets.TENANT_DOMAIN) {
+        return api.access.deny('missing tenant domain');
+    }
+
+    const domain = event.secrets.TENANT_DOMAIN;
+
+    const management = new ManagementClient({
+        domain,
+        clientId,
+        clientSecret,
+        httpTimeout: HTTP_TIMEOUT,
+    });
+
+    await management.users.update(
+        { id: event.user.user_id },
+        {
+            user_metadata: {
+                [metadataKey]: metadataValue || metadataDefaultValue,
+            },
+        }
+    );
+};
+
+/**
+ * Handler that will be invoked when this action is resuming after an external redirect. If your
+ * onExecutePostChallenge function does not perform a redirect, this function can be safely ignored.
+ *
+ * @param {Event} event - Details about the user and the context in which they are logging in.
+ * @param {PasswordResetPostChallengeAPI} api - Interface whose methods can be used to change the behavior of the post challenge flow.
+ */
+// exports.onContinuePostChallenge = async (event, api) => {
+// };
@@ -0,0 +1,22 @@
+id: 'a66b279a-067c-414b-93e8-c35698f8f379'
+name: 'Add Persistent Attributes to the User'
+description: 'Set any preference value to a user (using `user_metadata`).'
+public: true
+triggers:
+    - 'PASSWORD_RESET_POST_CHALLENGE'
+runtime: 'node18'
+modules:
+    - name: 'auth0'
+      version: 'latest'
+sourceUrl: 'https://github.com/auth0/os-marketplace/blob/main/templates/add-persistence-attribute-PASSWORD_RESET_POST_CHALLENGE'
+notes: |
+    **Required Secrets**
+
+    * `METADATA_KEY` - key to be used to store the user preference, for example: 'favorite_color'
+    * `METADATA_DEFAULT_VALUE` - value to be stored for the user preference in the event that it does not already exist, for example: 'blue'
+    * `CLIENT_ID` - client id for an application that is permitted to update your users
+    * `CLIENT_SECRET` - corresponding client secret for `CLIENT_ID`, you'll find this in the settings alongside `CLIENT_ID`
+    * `TENANT_DOMAIN` - corresponding tenant domain for `CLIENT_ID`, you'll find this in the settings alongside `CLIENT_ID`
+
+useCases:
+    - 'ENRICH_PROFILE'