Actions Triggers: post-login - Event Object

The event object for the post-login Actions trigger provides contextual information about a single user logging in via Auth0.

Property Description

event.authentication

(Optional)

Details about authentication signals obtained during the login flow.

Includes the following properties:

  • methods Array of objects.

    Contains the authentication methods a user has completed during their session.

    Array elements:

    • One of the following object schemas:

      • An object with the following properties:

        • name String.

          The name of the first factor that was completed. Values include the following:

          • "federated" A social or enterprise connection was used to authenticate the user as the first factor.
          • "pwd" A password was used to authenticate a database connection user as the first factor.
          • "passkey" A passkey was used to authenticate a database connnection user as the first factor.
          • "sms" A Passwordless SMS connection was used to authenticate the user as the first factor.
          • "email" A Passwordless Email connection was used to authenticate the user as the first factor or verify email for password reset.
          • "phone_number" A phone number was used for password reset.
          • "mock" Used for internal testing.
          • string A custom authentication method denoted by a URL (as second or later factor).
        • timestamp String.
      • An object with the following properties:

        • name The value "mfa". The user completed multi-factor authentication (second or later factors).
        • timestamp String.
  • riskAssessment Optional object.

    Details about risk assessments obtained during the login or password reset flow.

    Includes the following properties:

    • assessments Object.

      Includes the following properties:

      • ImpossibleTravel Optional object.

        Determines if the user is logging in from a location signaling impossible travel.

        Includes the following properties:

        • code String.

          Possible values include:

          • minimal_travel_from_last_login
          • travel_from_last_login
          • substantial_travel_from_last_login
          • impossible_travel_from_last_login
          • invalid_travel
          • missing_geoip
          • anonymous_proxy
          • unknown_location
          • initial_login
          • location_history_not_found
          • assessment_not_available
        • confidence String.

          Possible values include:

          • low
          • medium
          • high
          • neutral
      • NewDevice Optional object.

        Determines if the user is logging in from a known device.

        Includes the following properties:

        • code String.

          Possible values include:

          • match
          • partial_match
          • no_match
          • initial_login
          • unknown_device
          • no_device_history
          • assessment_not_available
        • confidence String.

          Possible values include:

          • low
          • medium
          • high
          • neutral
        • details Optional object.

          Includes the following properties:

          • device Optional string.

            Possible values include:

            • known
            • unknown
          • useragent Optional string.

            Possible values include:

            • known
            • unknown
      • UntrustedIP Optional object.

        Shows if the IP was found in Auth0's repository of low reputation IPs.

        Includes the following properties:

        • code String.

          Possible values include:

          • not_found_on_deny_list
          • found_on_deny_list
          • invalid_ip_address
          • assessment_not_available
        • confidence String.

          Possible values include:

          • low
          • medium
          • high
          • neutral
        • details Optional object.

          Includes the following properties:

          • category Optional string.
          • ip Optional string. The originating IP address of the request.
          • matches Optional string.
          • source Optional string.
    • confidence String.

      Overall risk score

      Possible values include:

      • low
      • medium
      • high
      • neutral
    • version String.

event.authorization

(Optional)

An object containing information describing the authorization granted to the user who is logging in.

Includes the following properties:

  • roles Array of strings. An array containing the names of a user's assigned roles.

event.client

Information about the Client with which this login transaction was initiated.

Includes the following properties:

  • client_id String. The client id of the application the user is logging in to.
  • metadata Dictionary. An object for holding other application properties.
  • name String. The name of the application (as defined in the Dashboard).

event.connection

Details about the Connection that was used to authenticate the user.

Includes the following properties:

  • id String. The connection's unique identifier.
  • metadata Optional dictionary. Metadata associated with the connection.
  • name String. The name of the connection used to authenticate the user (such as twitter or some-g-suite-domain).
  • strategy String. The type of connection. For social connections, event.connection.strategy === event.connection.name. For enterprise connections, the strategy is waad (Windows Azure AD), ad (Active Directory/LDAP), auth0 (database connections), and so on.

event.organization

(Optional)

Details about the Organization associated with the current transaction.

Includes the following properties:

  • display_name String. The friendly name of the Organization.
  • id String. The Organization identifier.
  • metadata Dictionary. Metadata associated with the Organization.
  • name String. The name of the Organization.

event.prompt

(Optional)

Collected data from rendered custom prompts.

Includes the following properties:

  • fields Optional dictionary. Fields and hidden fields data.
  • id String. The prompt ID.
  • vars Optional dictionary. Shared variables data.

event.refresh_token

(Optional)

[Private Early Access] The current refresh token.

Includes the following properties:

  • client_id Optional string. [Private Early Access] The ID of the client associated with the refresh token.
  • created_at String. [Private Early Access] Timestamp of when the refresh token was created.
  • device Optional object.

    Includes the following properties:

    • initial_asn Optional string. [Private Early Access] First autonomous system number associated with this refresh token.
    • initial_ip Optional string. [Private Early Access] First IP address associated with this refresh token.
    • initial_user_agent Optional string. [Private Early Access] First user agent of the device associated with this refresh token.
    • last_asn Optional string. [Private Early Access] Last autonomous system number from which this refresh token was last exchanged.
    • last_ip Optional string. [Private Early Access] Last IP address from which this refresh token was last exchanged.
    • last_user_agent Optional string. [Private Early Access] Last user agent of the device from which this refresh token was last exchanged.
  • expires_at Optional string. [Private Early Access] Timestamp of when the refresh token will absolutely expire.
  • id String. [Private Early Access] The ID of the refresh token.
  • idle_expires_at Optional string. [Private Early Access] Timestamp of when the refresh token will idle expire.
  • resource_servers Optional array of objects.

    Elements include the following properties:

    • audience String. [Private Early Access] The audience of the refresh token.
    • scopes String. [Private Early Access] Scopes of the refresh token.
  • rotating Optional boolean. [Private Early Access] If the refresh token is a rotating refresh token.
  • session_id Optional string. [Private Early Access] The ID of the session bound to the refresh token.
  • user_id Optional string. [Private Early Access] The ID of the user bound to the refresh token.

event.request

Details about the request that initiated the transaction.

Includes the following properties:

  • asn Optional string. The ASN (autonomous system number) of the user-agent making the request.
  • body Dictionary. The body of the POST request. This data will only be available during refresh token and Client Credential Exchange flows and Post Login Action.
  • geoip Object.

    Includes the following properties:

    • cityName Optional string.
    • continentCode Optional string.
    • countryCode Optional string.
    • countryCode3 Optional string.
    • countryName Optional string.
    • latitude Optional number.
    • longitude Optional number.
    • subdivisionCode Optional string.
    • subdivisionName Optional string.
    • timeZone Optional string.
  • hostname Optional string. The hostname that is being used for the authentication flow.
  • ip String. The originating IP address of the request.
  • language Optional string. The language requested by the browser.
  • method String. The HTTP method used for the request
  • query Dictionary. The query string parameters sent to the authorization request.
  • user_agent Optional string. The value of the User-Agent header received when initiating the transaction.

event.resource_server

(Optional)

Details about the resource server to which the access is being requested.

Includes the following properties:

  • identifier String. The identifier of the resource server. For example: https://your-api.example.com.

event.session

(Optional)

The current login session.

Includes the following properties:

  • authenticated_at Optional string. [Private Early Access] The date and time when the session was last authenticated.
  • clients Optional array of objects.

    [Private Early Access] List of client details for the session.

    Elements include the following properties:

    • client_id String. [Private Early Access] ID of client for the session.
  • created_at Optional string. [Private Early Access] The date and time when the session was created.
  • device Optional object.

    [Private Early Access] Metadata related to the device used in the session.

    Includes the following properties:

    • initial_asn Optional string. [Private Early Access] First autonomous system number associated with this session.
    • initial_ip Optional string. [Private Early Access] First IP address associated with this session.
    • initial_user_agent Optional string. [Private Early Access] First user agent of the device associated with this session.
    • last_asn Optional string. [Private Early Access] Last autonomous system number from which this user logged in.
    • last_ip Optional string. [Private Early Access] Last IP address from which this user logged in.
    • last_user_agent Optional string. [Private Early Access] Last user agent of the device from which this user logged in.
  • expires_at Optional string. [Private Early Access] The date and time when the session will expire.
  • id String. The ID of the current session.
  • idle_expires_at Optional string. [Private Early Access] The date and time when the session will expire if idle.
  • updated_at Optional string. [Private Early Access] The date and time when the session was last updated.
  • user_id Optional string. [Private Early Access] ID of the user which can be used when interacting with other APIs.

event.stats

Login statistics for the current user.

Includes the following properties:

  • logins_count Number. The number of times this user has logged in.

event.tenant

Details about the Tenant associated with the current transaction.

Includes the following properties:

  • id String. The name of the tenant.

event.transaction

(Optional)

Details about the current transaction.

Includes the following properties:

  • acr_values Array of strings. Any acr_values provided in the original authentication request.
  • linking_id Optional string. Dynamic Linking ID that allows developers to reference this transaction.
  • locale String. The locale to be used for this transaction as determined by comparing the browser's requested languages to the tenant's language settings.
  • login_hint Optional string. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
  • prompt Optional array of strings. List of instructions indicating whether the user may be prompted for re-authentication and consent.
  • protocol Optional string.

    Possible values include:

    • oidc-basic-profile Most used, web-based login.
    • oidc-implicit-profile Used on mobile devices and single-page apps.
    • samlp SAML protocol used on SaaS apps.
    • wsfed WS-Federation used on Microsoft products like Office365.
    • wstrust-usernamemixed WS-trust User/password login used on CRM and Office365.
    • oauth2-device-code Transaction using the Device Authorization Flow.
    • oauth2-resource-owner User/password login typically used on database connections.
    • oauth2-resource-owner-jwt-bearer Login using a bearer JWT signed with user's private key.
    • oauth2-password Login using the password exchange.
    • oauth2-access-token Refreshing a token using the refresh token exchange.
    • oauth2-refresh-token Refreshing a token using the refresh token exchange.
    • oauth2-token-exchange
    • oidc-hybrid-profile Allows your application to have immediate access to an ID token while still providing for secure and safe retrieval of access and refresh tokens.
  • redirect_uri Optional string. The URL to which Auth0 will redirect the browser after the transaction is completed.
  • requested_authorization_details Optional array of objects.

    The details of a rich authorization request per Section 2 of the Rich Authorization Requests spec at https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar#section-2.

    Elements include the following properties:

    • type String. The type of authorization details as a string. The value of the type field determines the allowable contents of the object which contains it.
  • requested_scopes Array of strings. The scopes requested (if any) when starting this authentication flow.
  • response_mode Optional string.

    Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint.

    Possible values include:

    • query
    • fragment
    • form_post
    • web_message
  • response_type Optional array of strings.

    Possible values include:

    • code
    • token
    • id_token
  • state Optional string. An opaque arbitrary alphanumeric string your app adds to the initial request that Auth0 includes when redirecting back to your application.
  • ui_locales Array of strings. The ui_locales provided in the original authentication request.

event.user

An object describing the user on whose behalf the current transaction was initiated.

Includes the following properties:

  • app_metadata Dictionary. Custom fields that store info about a user that influences the user's access, such as support plan, security roles, or access control groups.
  • created_at String. Timestamp indicating when the user profile was first created.
  • email Optional string. (unique) User's email address.
  • email_verified Boolean. Indicates whether the user has verified their email address.
  • enrolledFactors Optional array of objects.

    An an array of authentication factors that the user has enrolled.

    Array elements:

    • An object describing an enrolled authentication factor type and any factor-specific options.

      Includes the following properties:

      • options Optional dictionary. Additional options describing this instance of the enrolled factor.
      • type String. The type of authentication factor such as push-notification, phone, email, otp, webauthn-roaming and webauthn-platform.
  • family_name Optional string. User's family name.
  • given_name Optional string. User's given name.
  • identities Array of objects.

    Contains info retrieved from the identity provider with which the user originally authenticates. Users may also link their profile to multiple identity providers; those identities will then also appear in this array. The contents of an individual identity provider object varies by provider.

    Elements include the following properties:

    • connection Optional string. Name of the Auth0 connection used to authenticate the user.
    • isSocial Optional boolean. Indicates whether the connection is a social one.
    • profileData Optional dictionary. User information associated with the connection. When profiles are linked, it is populated with the associated user info for secondary accounts.
    • provider Optional string. Name of the entity that is authenticating the user, such as Facebook, Google, SAML, or your own provider.
    • user_id Optional string. User's unique identifier for this connection/provider.
  • last_password_reset Optional string. Timestamp indicating the last time the user's password was reset/changed. At user creation, this field does not exist. This property is only available for Database connections.
  • multifactor Optional array of strings. List of multi-factor authentication (MFA) providers with which the user is enrolled. This array is updated when the user enrolls in MFA and when an administrator resets a user's MFA enrollments.
  • name Optional string. User's full name.
  • nickname Optional string. User's nickname.
  • phone_number Optional string. User's phone number.
  • phone_verified Optional boolean. Indicates whether the user has verified their phone number.
  • picture Optional string. URL pointing to the user's profile picture.
  • updated_at String. Timestamp indicating when the user's profile was last updated/modified.
  • user_id String. (unique) User's unique identifier.
  • user_metadata Dictionary. Custom fields that store info about a user that does not impact what they can or cannot access, such as work address, home address, or user preferences.
  • username Optional string. (unique) User's username.