Sample Use Cases: Actions with Authorization

Auth0 Actions allow you to modify or complement the outcome of the decision made by a pre-configured authorization policy so that you can handle more complicated cases than is possible with role-based access control (RBAC) alone. Based on the order in which they run, Actions can change the outcome of an authorization decision prior to permissions being added to the Access Token. They can also allow you to customize the content of your tokens.

Let's say you have an application that you want to make sure is only accessible during weekdays. Create a new Action, and select the Login / Post Login trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

exports.onExecutePostLogin = async (event, api) => {
  if (event.client.name === "APP_NAME") {
    const d = new Date().getDay();

    if (d === 0 || d === 6) {
      api.access.deny("This app is only available during the week.");
    }
  }
}

Finally, add the Action you created to the Login Flow. To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in Write Your First Action.

If a user attempts to access the application during the weekend, access will be denied, even if they authenticate and have the appropriate privileges.

Let's say you want to allow access to an application, but only for users who are accessing the application from inside your corporate network. Create a new Action, and select the Login / Post Login trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

const ipaddr = require("ipaddr.js");

exports.onExecutePostLogin = async (event, api) => {
  const corpNetwork = "192.168.1.134/26";
  const currentIp = ipaddr.parse(event.request.ip);

  if (!currentIp.match(ipaddr.parseCIDR(corpNetwork))) {
    api.access.deny("This app is only available from inside the corporate network.");
  };
};

Finally, add the Action you created to the Login Flow. To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in Write Your First Action.

If the user is outside the corporate network, they will be denied access even if they successfully authenticate and have the appropriate privileges.

Let's say you want to deny access to all users who are calling an API. This means that you need to deny access depending on the identifier value for your API, which you can find in the API Audience field of your API at Auth0 Dashboard > Applications > APIs. Create a new Action, and select the Login / Post Login trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

exports.onExecutePostLogin = async (event, api) => {
  // In Actions, an API will be referred to as a Resource Server.
  const { identifier } = event.resource_server || {};
  if (identifier === "https://api.example.com") {
    api.access.deny("end_users_not_allowed");
  }
}

Finally, add the Action you created to the Login Flow. To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in Write Your First Action.

In this case, the identifier value for the API is https://api.example.com, so this is the audience we will refuse.

To add user roles to Auth0-issued tokens, use the event.authorization object along with the api.idToken.setCustomClaim and api.accessToken.setCustomClaim methods. Create a new Action, and select the Login / Post Login trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}

Finally, add the Action you created to the Login Flow. To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in Write Your First Action.

Remember:

• The JWT returned to the requesting application is built and signed at the end of the trigger processing. The final, signed JWT is not accessible in an Action.