We're excited to announce a brand new way to extend Auth0.
If you don't see the actions tab in your dashboard, please see the planned roll out schedule below to check when you will have access.
Answering the Call
At Auth0, we believe that extensibility is one of our most important product features.
Identity for one customer is not always the same thing for the next. Every customer has specific needs and a vast majority want to customize our core product to solve their requirements. To answer this call, we are committed to continually looking for ways to enhance our product capability.
Because every project has a unique use case, we’ve learned over the years that sometimes just simply building features into our core product is not the right approach. Instead, we are continuously brainstorming new tools that will allow you to customize your identity solution as needed.
Auth0 Rules was our first publicly available tool that looked to answer extensibility needs. Rules are serverless code blocks that can be customized to extend Auth0's core capabilities.
They execute after authentication but before identity tokens are issued. Our documentation offers a great list of Rule templates that make it easy to tackle common scenarios out of the box. They can be chained together for modular coding and can be turned off individually.
Rules are really powerful and solve many authentication use cases. We learned through iteration that customers want customization capabilities beyond the login flow.
In response to this learning, we introduced Auth0 Hooks.
Hooks allow custom behavior using a similar custom code setup as Rules. However, they can be executed against several extensibility points. This includes the client credentials exchange as well as pre and post-registration.
Through several learning iterations, we discovered that even though Hooks can run on more extensibility points than Rules, customers want even more capability from our extensibility platform.
That is why we are excited to announce the beta of our next-gen extensibility platform — Auth0 Actions!
What are Auth0 Actions?
Actions are just another tool in your identity solution toolbelt to meet all of your application needs.
Actions are functional services that fire during specific events across multiple identity flows.
This behavior works as a trigger system. The triggers that kick off an Action are extensibility points such as post-login or client credential exchange. The Actions platform is designed for Auth0 to continuously add additional triggers as our core product develops.
This is a beta release, so there are a limited amount of features present with Actions. However, we have many other enhancements in the works and we are looking for feedback!
Action Features
The Actions platform comes with:
✋ Drag N Drop Functionality — The flow editor lets you visually build custom workflows with a drag and drop Action blocks for complete control.
💻 Monaco Code Editor with Quick-hints — Designed with developers in mind, you can easily write JavaScript functions with validation, intelligent code completion, and type definitions with TypeScript support.
You can also securely store and use secrets within your custom functions. Once they are saved, they cannot be read in plain text in the code again.
We have also improved the functionality of your code by allowing access to the full library of NPM packages and modules.
🏢 Serverless (Function as a Service, FaaS) Environment — We host your custom Action functions and we process them when desired. The functions are stored and run on our own infrastructure. This improves overall performance and security for our customers.
💾 Version Control — Everything you love about Git and version control is now available for your custom Actions. You have the ability to store a history of individual Action changes and the power to revert back to previous versions as needed.
📁 Pre-Production Testing — Outside of Actions, custom extensible code is not able to be tested unless rolled to your production environment. We are happy to announce that with Actions, your personal Actions can be drafted, reviewed, and tested before deploying into production
🐛 Debugging — Nothing is worse than getting an error and not having the ability to track down the problem. Actions provide the ability to determine causality by tracking state changes.
Note: If you are a pro user wondering about how this affects Rules and Hooks, don’t worry, as Actions will function separately.
We want to win you over with Actions!
Creating Your First Auth0 Action
Alright, let’s walk through creating your first Action!
Go ahead and login to your Auth0 account. In the left sidebar, there is a new tag titled “Actions”. Go ahead and click on that. You’ll notice that it has two subcategories, “Flows” and “Custom Actions”. Click on "Flows".
If you don't see the actions tab in your dashboard, please see the planned roll out schedule below to check when you will have access.
Flows represent a high-level operation within Auth0. There are currently two identity flows that you can add Actions to, “Login” and “M2M” (Machine to Machine). Go ahead and click on “Login”.
This initial view shows the entire authentication flow for your solution, with drag and drop functionality to customize it. If your solution has any Rules already set up, you will see them in this view. Any Rules that are defined will be triggered first, and then they will flow into your Actions.
The top right corner of this view shows a question mark icon. If you click on this, you will be given a pop-over walkthrough of this view.
Let’s click on the “Create Action” option on the right side of this view.
Let’s call this Action “Trigger MFA” and click “Create”.
This next view is where we can customize this new Trigger MFA action.
Right off the bat, you can see the improved code editor, version history button, save as a draft button, and the deploy button.
Unlike with Rules and Hooks, the code editor holistically supports:
- Testing
- Secret management
- Virtually any NPM module
- Linting
- Quick hints
- and TypeScript
Also, async / await is set up by default so you do not need to use callbacks.
In order to see the custom hint functionality, all we need to do is is do CMD + Space (ctrl + space on Windows). Also, by simply hovering over objects such as event and context, you will see their documentation in a pop-up.
Notice on the left side of the editor is a couple of icons. The play icon is how we can test our Action before we deploy it, more on that in a little bit. The key icon is how we can add and use secrets in our Action. For example, when working with APIs, such as the Slack API, we want to make sure we do not expose any API keys accidentally. This is where we can store it once, keep it secure, and reference it in our Actions editor.
Finally, the last box icon is how we can add virtually any NPM module in our Actions.
Let’s go ahead and write out our Action. We are going to write an Action that enforces multi-factor authentication with Guardian.
Notice the return object within the function. This is what we are going to be working on. I am going to type in command as an object, give it a type of "multifactor", as well as a provider of “guardian”.
/** @type {PostLoginAction} */
module.exports = async (event, context) => {
return {
command: {
type: "multifactor",
provider: "guardian"
}
};
};Here, with this code, we are enforcing multi-factor authentication with Guardian.
The command property is checked and executed during the authentication flow. Currently, there are only two commands, "multifactor" and "redirect" (which redirects the user to a provided link after authentication).
Once we are satisfied with our code, we can test this as is, before pushing it to production. We do this by pressing the play icon on the left sidebar and then clicking "Run" at the bottom. This will run our code and display the output on the bottom of the editor. We also have the ability to test different scenarios by updating the test data.
Now, go ahead and click on "Save draft". We can also revert this action to a previously saved or deployed version, by pressing on the version control button on the top of this page. This view shows all saved versions with a push-button revert process.
Now that we’ve tested and are ready to go with our Action, we can deploy it by clicking on the "Deploy" button at the top. If an action is not deployed, it does not appear in our flow Action list.
If we click on the “Custom Actions” back arrow, we can see our newly created Trigger MFA Action. We can also see its Node version, the last updated timeline, and its current status.
Now, let’s actually add this to our flow. Click on the “Flows” tab on the left side navigation, and then click "Login".
This will take us back to our flow builder and our Trigger MFA Action is now available to be dragged and dropped into our login flow.
Once we’ve added our Action to the Flow, to make it final, we need to press on the “Save” then “Apply” buttons.
Now let’s try it out.
As I try logging into my application, I see the expected login form at first.
Once I make it through that page, I am shown the download MFA screen!
Once I’ve set up my MFA app on my phone, I receive a push notification to my phone to allow me to finish authenticating.
And that's all! With Auth0 Actions, we were able to:
- Quickly create a reusable custom Action with a built-in user-friendly code editor
- Test, save, and rollback to different versions of the flow
- Attach it to a trigger
Go ahead and add some on your own and let us know what you think in the comments below!
Beta Limitations & Roll Out
Bindings
At beta launch, we will be limiting tenants to 5 bindings (that’s actions + triggers). While our product, in theory,supports an unlimited number of bindings, we want to fully test the back end and the impact on login time for having large sets of bindings.
Logging
We will be limiting log-retention and log sizes during beta as we learn from users' usage.
Triggers
Client Credential Exchange and Post Login will be the first two triggers supported with more coming over the course of the beta.
Rules Parity
Actions will be at full parity with Rules at beta launch with added functionality.
Hooks Parity
Actions will be at parity for client credential exchange at beta launch.
Private Cloud
After the beta period, Actions will be included in future Private Cloud releases.
Planned Roll Out
- October 27th: Beta will open in Australia
- November 5th: Beta will open in Europe
- November 9th: Beta will open in the Americas
- November 16th: Avocado Labs Actions live stream
What's Coming?
Actions will be an iterative platform that we will continually improve upon. Our vision for Actions includes expanding the number of triggers (extensibility points) you can use to customize Auth0 and introducing new ways to reuse code so you don’t have to keep writing and maintaining large amounts of custom code.
We'd love to hear what you think about Actions. Be sure to comment let us know of any future integrations you'd like to see
This is just the beginning of Auth0 Actions, and we can't wait to see where we can take it with your feedback!
