A bunch of our Rules use signedUp as a property on app_metadata. If multiple Rules like this are used, it may lead to unexpected behavior where only the first Rule will execute for the sign-up and the rest will silently return.

Need to either make that clear (if the Rules are mutually exclusive) or to change to rely on context.stats.loginsCount or a unique metadata property name instead.

I am using the rule to merge identites by email. However, when merge occurs, the user changes its user_id to the last recently identity added.

Such behavior causes a lot of identity issues - for example, when you try to get the user in a database using the user_id as search key.

Instead of overriding the original user_id, this rule should just add the new identity to the original one, and keep it's user_id

https://github.com/auth0/rules/blob/master/rules/link-users-by-email.md

What should the value of userApiUrl be?

Any link here that includes .md in it is likely broken.

We should use absolute links instead of relative ones to support Dashboard templates and the documentation pages at the same time.

Scenario1: this logic works fine if user firstly sign up with email and then use social(fb/twitter etc)for signup, by this it will link all the accounts properly

Scenario2: if we firstly use social(fb/twitter etc) and then use simple email signup it will create two different account which is not desired instead it should give warning that this email is already registered

Note: in scenario 2 if user verified his id and again login it will be merge then but it keeps two different account before that.

IMP if you try to change the password after signing up with social provider you will get an error that user does not exist on the auth0 dashboard

Type | Failed Change Password
Description | User does not exist.
Connection | Username-Password-Authentication

This is does not happen in any real world application i don't know what's the intent please guide if i understood it wrongly.

License file contents should be updated to latest approved contents.
Readme file should include issue reporting, author and license sections.

The verify URL is specified as: http://api.yubico.com/wsapi/2.0/verify

It should be: https://api.yubico.com/wsapi/2.0/verify

One of my rule added some extra attributes to the user, like given_name and family_name, and I can see these attributes returned from Auth0 after the authentication.

However, If I added a rule for linking accounts before the existing rule, and set up the primaryUser attribute in context, even though the next rule still adds the extra attributes, the payload returned by Auth0 only contains those owned by the primary user stored on Auth0.

Is this an expected behaviour? Or did I missed something?

Thanks.

https://github.com/auth0/rules/blob/master/rules/google-refresh-token.md

is wrong. refresh_token is stored in the identities array. It can be retrieved like the access_token

As far as we can see Auth0 doesn't detect OAuth connections (using a refresh token) as a login. Neither the login count is updated nor are other props of a users updated (devices for instance or last login date are not reflecting a user which uses a mobile app over a web browser). Is there a solution for this available (can mobile logins be detected) or is it a change in the design to get this fixed?

When the user provides the OTP code the form is correctly submitted with the otp code, however it doesn't appear in either the context or req parameters. This means 'undefined' is passed through to the Yubico validation servers and the auth fails.

I can't find any way of getting the otp value other than sending it through as a GET parameter instead.

HTTP links have changed due to repo structure changes breaking the README Highlighted Rules section.
https://github.com/auth0/rules/blob/master/README.md#highlighted-rules

The very definition Rules are code snippets written in JavaScript that are executed as part of the authentication pipeline in Auth0 makes rules one of the most powerful feature in Auth0 platform. However, the statement Create authorization rules based on complex logic (anything that can be written with node.js). written on the page at https://auth0.com/docs/rules indicates that one can use rules only of the app is hosted on node.js.

I think that Auth0 should be completely platform agnostic so I would like to know how can I use rules in an angular app hosted by ASP.NET

Hi,

I'd like to know if it there is a way for the rules to load code via requires so I can reuse, encapsulate and test the core validation functions.

I've tried to create a structure similar to:

|---rules
|      |------email-domain-validation.js
|
|---core
       |------domain.js
       |------whitelist.js

In my approach /rules/email-domain-validation.js tries to load code from /core/domain.js via require('../core/domain.js') as you normally would do in a node.js project.

However, when auth0 runs the email-domain-validation.js rule: I can see in the logs the following error: "description": "Cannot find module '../core/domain'",.

I haven't put core under rules since that would be taken by auth0 as if they were rules where they aren't (my first approach was to place the core folder under rules).

Is there any way for solving this?

So we have this rule that merges a user logging-in into a previously existing identity. As explained in #71, context.primaryUser must be update accordingly in that particular case.

But it is kinda wiered and unclear what happens next when calling callback(null, user, context) with user being the user that was merged into the previous account (the original user that was used to call the rule).

• More specifically, what will be the user_id of the user in the next rule ?
• Do we need to update all the properties of user (user.app_metadata, user.user_metadata, user.first_name, etc.) with those of the primary user before calling the next rule, or will Auth0 automatically reload the properties of user if context.primaryUser has changed ?
• Why shouldn't we call callback(null, otherPrimaryUser, context) (I have the impression that this will cause an Unable to construct sso user. error in some cases, but I can't figure out when) ?

I'm following all the steps here:
https://github.com/auth0/rules/tree/master/redirect-rules/simple

Using the following URL:

https://DOMAIN.auth0.com/authorize?response_type=token&scope=openid%20profile&client_id=CLIENT_ID&redirect_uri=http://jwt.io&connection=Username-Password-Authentication

I'm redirected to

https://nasbnation.auth0.com/login/callback?state=S7dScBNwLS1HVt_D9DqIQ5NIXtOlBtQ8

I get the following response:

Invalid redirect URL https://wt-peter-auth0_com-0.run.webtask.io/simple-redirect-rule-consent-form';var CONSENT_FORM_URL = 'https://wt-peter-auth0_com-0.run.webtask.io/simple-redirect-rule-consent-form?auth0_domain=nasbnation.auth0.com

My real-time Webtask Logs return:

9:36:59 PM: new webtask request 1507167419882.564674
9:36:59 PM: finished webtask request 1507167419882.564674 with HTTP 200 in 107ms

Am I missing something? Perhaps the library has changed?

create a rule to feed dynamics CRM contacts based on signups/logins

I am making https request from my js file like:

function createProfile(accessToken) {
       return new Promise(function (resolve, reject) {
           var payLoad = JSON.stringify({
               Name: user.name,
               Email: user.email
           });

           request({
               url: "{mydomain}/profile",
               headers: {
                   'Authorization': 'Bearer ' + accessToken,
                   'content-type': 'application/json'
               },
               body: payLoad,
               method: "POST"

           }, function (error, response, body) {
               if (error) {
                   return reject(error);
               }
               if (response.statusCode === 200) {
                   var profile = JSON.parse(body);
                   return resolve(profile);
               }
               else
                   return reject();


           });
       });
   }

Now when I am using nock for this method like this:

nock("{mydomain}", { reqheaders: { 'Authorization': 'Bearer ' + accessToken } })
            .post('/profile',
                function(body) {
                    const expectations = {
                        Name: user.name,
                        Email: user.email,
                    };
                    expect(body).toEqual(expectations);
                    return true;
                })
            .replyWithError('profile error');

This is throwing error 'profile error' in cmd. If I change return reject(error) with return callback(error) then it it is working fine and my test case is passing. How can I reply error for return reject(error)

In https://github.com/auth0/rules/blob/master/rules/link-users-by-email.md where is userApiUrl defined? Should the the built in auth0.baseUrl be used instead?

create a rule that create a new lead using Salesforce API

I am having problems with this against parse running on AWS.
Issue is described here
but short summary is that if I do get post it fails. Individual get or post work just fine. on the server I get )
Connection refused: AH00957: HTTP: attempt to connect to 127.0.0.1:1337 (127.0.0.1) failed [Sat Dec 03 02:10:18.478083 2016] [proxy_http:error] [pid 1149] ...

on parse server I get exception around line 390 in ParseServer.js address in use... but only when post is after get failure.

Is there any complete documentation about the variables available within rules? I can find no reference in documentation to the auth0 object, but yet it's used here

https://github.com/auth0/rules/blob/2392ea11601ec0b220e4b3c3a2408cd3a1f50233/redirect-rules/simple/rule.js

as auth0.baseUrl. (this is very helpful for instance, if i need to do a client-credentials grant against the current auth0 account without hardcoding)

As a user - having undocumented variables in examples is incredibly confusing. i'd love to see the documentation updated to include all the variables that are available within a rule (including global).

Need to update the the google refresh token rule to:

• Include examples of how to encrypt / decrypt (by default)
• Consider storing it externally instead of in app_metadata

Hi! Rules are awesome - currently sinking my teeth into them.

I'm sure someone has had this question before but I can't find it: Is there an easy way to set up linting for Rules functions?

Specifically, when running eslint over a Rule, it's hitting Parsing error: unexpected token ( at function ( user, context, callback ) { - because the function both is anonymous, and isn't assigned to something like module.exports.

if (response.statusCode !== 200) return callback(new Error(body));

For some IdP user.email will be undefined or empty (fb/twitter won't return user email for privacy settings or if user signed up with phone). In such cases it would be ideal to skip account linking and continue the login flow (previously with user search api, it returned an empty array. However /users-by-email endpoint returns a query validation error.

Possible fix

if (!user.email_verified || !user.email) {
    return callback(null, user, context);
  }

The Link Accounts with Same Email Address while Merging Metadata rule as written will cause metadata on the original/primary user to be deleted if the current/secondary user has no metadata. This is because PATCH /api/v2/users/{id} effectively treats user_metadata: {}, app_metadata: {} as a delete of those fields.

In these cases the rule should skip the updateAppMetadata() calls to avoid the loss.

Just as a heads up, link to https://github.com/auth0/rules/blob/master/rules/generate-firebase-token.md from README.md and https://auth0.com/how-it-works return a 404.

The sms-mfa redirect rule sample is now obsolete since Auth0 now offers build-in support for SMS MFA. However, we don't yet offer an email equivalent for MFA (send a magic link in an email as a second factor), so this sample could be changed to do that instead, since the configuration is very similar. The one nice thing about email Passwordless is that it doesn't require the setup of a Twilio account.

Not sure if this is the correct place for this, but your canirequire page is broken, due to a problem with JQuery.

On page load it receives this error:

auth0-extensions.github.io/:48 GET https://code.jquery.com/jquery-3.3.1.min.js net::ERR_SSL_VERSION_INTERFERENCE

This line should have the "long function" shown here instead of the following two lines:

user.app_metadata = user.app_metadata || {};
var email = user.email || user.app_metadata.social_email;

These two lines are wrongly added as a rule when the user clicks on Get e-mail address from Twitter template rule on our dashboard.

Original account: google-oauth-2
New account: github

If I try this combination I get a Bad Request response and the following hash response:

#error=access_denied&error_description=Error%20linking%20account%3A%20Bad%20Request&state=G8I.4LschBFHZeY0G_UBFy.ddl4c7KLH

You have a salesforce create lead example where in the short description written that On first login call the Salesforce API to record the contact as a new Lead

https://github.com/auth0/rules/blob/master/rules/creates-lead-salesforce.md

I've seen the codebase but cannot determine which particular line of code is actually deciding that the user is logging in for the first time.

Thanks

I'm trying the example, and I get this error after the first redirection:

unable to resolve jtn to webtask token

Can someone help me please ?

Thank you.

Is it correct that rules are not applied when I logon as another user, by using the impersonation feature.

If so, then how are we supposed to be able to use rules to their full potential. I add extra claims during login, those are missing when I'm impersonating the user.

The rule for generating Firebase tokens in the readme is gone. It's highlighted in the readme as Get a Firebase Session Token. I'd be interested to see it. Can it come back?

We can detect a new signup by checking if context.stats.loginsCount is equal to 1 (example).

Why are we setting a new variable in app_metadata in the following rule? https://github.com/auth0/rules/blob/master/rules/signup.md

Is this for a rule execution stage when the context.stats might not be available such as pre_authorize or user_registration?

The rule mailgun.md contains this at the start

function(user, context, callback) {  
  user.app_metadata = user.app_metadata || {};  
  if (!user.app_metadata.signedUp) {  
    return callback(null, user, context);  
  }

but the logic in the if statement is wrong and should not have the !

if (user.app_metadata.signedUp) {

Documentation states

Note, that if the primary account changes during the authorization transaction (for example, the account the user has logged in with, becomes a secondary account to some other primary account), you could get an error in the Authorization Code flow or an id_token with the wrong sub claim in the token flow. To avoid this, set context.primaryUser = 'auth0|user123' in the rule after account linking. This will tell the authorization server to use the user with id auth0|user123 for the rest of the flow.

This would be our desired behavior. However when actually using this rule I'm not seeing this logic applied: the sub is still the user id of the secondary (to be removed) account.

Hi,

Once I logout from Parse using Parse.User.logout() and try login again with Auth0, session token seems no longer valid and is not updated.

ParseError {code: 209, message: "invalid session token"}

I'd like to redirect users after they register to our service and pass the state and a JWT we created in the rule that contains things like their user id, email, etc... Essentially the problem we're trying to solve is that we want to kick off a bunch of tasks when a new user registers.

When I add a ?token=${token} state is not passed anymore, so it appears I can't pass both in. There are no docs for how rules work under the hood as far as I can tell, so it appears it just doesn't work.

Is there a better way to do this? Am I missing something?

Thanks,
Matt

It looks like Auth0 encourages to write rules like this in current docs:

function (user, context, callback) {
  context.idToken["http://mynamespace/hello"] = "world";
  console.log('===> set "hello" for ' + user.name);
  callback(null, user, context);
}

As you probably know this code snippet alone throws an SyntaxError:

I guess you save this function into a variable internally...?

It would be nice however to use named functions in all docs instead.

This will help with tooling compatibility. For example I can now prettify my rules 👍 This will also help when I want to preprocess my rules (e.g. with TypeScript) before uploading them.

ERROR: Cannot set property 'scopes' of undefined

https://github.com/auth0/rules/blob/master/rules/duo-multifactor.md Says the MFA cookie (auth0-mf) expires after 30 days and that this cannot be changed.

In my experimentation the auth0-mf cookie is set to expire 7 days after creation and is not renewed.

i.e. the MFA cookie expires after 7 days and this cannot be changed.

Hi,

i was playing arround with this rule today and noticed some strange behavior. My user god all users from a specific connection assigned to his identity. This was the case with ADFS connection whose user id consists of three parts, not just two:

provider|ConnectionName|userid

As far as I can tell it is related to this piece of code:

 var aryTmp = targetUser.user_id.split('|');
 var provider = aryTmp[0];
 var targetUserId = aryTmp[1];

In the end i replaced it with a function like this:

  function getUserIdFromFullId(fullId)
  {
    var parts = fullId.split('|');
    var userId = parts[1];
    
    for(var i=2; i< parts.length; i++)
    {
      userId += '|' + parts[i];
    }
    
    return userId;
  }

The sms-mfa example is slick, and I seemed to have gotten implemented for use as part of a non-hosted login scenario. However, when it tries to do the redirect to the webtask, auth0 errors out with the error "auth0 redirection is not available on /oauth/token endpoint".

Is there a config somewhere that needs to be set as well for this to work in that case?

I have multiple rules in my tenant and now I want to write unit tests for my rules. Now the issue is in the docs (https://auth0.com/docs/support/testing) it’s written that we can use https://www.npmjs.com/package/auth0-rules-testharness module for unit test our rules but I think the explanation is old and it’s not updated because in the sample project (https://github.com/tawawa/auth0-rules-testharness-sample) we need to add webtask token and sandbox url and now we can’t find webtask token in Auth0 dashboard (https://manage.auth0.com/#/account/webtasks) and also where can I get this sandbox url? Any help?

I've encountered an issue in which a user signs up with multiple connections associated with the same email address and the automatic account linking rule fails to link them. Eventually I tracked this down to the fact that the users-by-email endpoint performs a case-sensitive search, which is very surprising. The user signed up for an email/password account as [email protected], but their Google account has [email protected] as the associated email address.

In practice, email addresses are treated in a case-insensitive manner, and the Auth0 web console performs case-insensitive search for email addresses. It seems like anyone using these rules to link accounts with matching emails would want it handle differing case, since some providers will report differing case for a given email address (i.e. not everyone normalizes addresses to lower-case).

feed newrelic with logins/signup events

feed splunk with signup/login events