Please note that rules also run during the token refresh flow.
- An app initiates an authentication request to Auth0.
- Auth0 routes the request to an Identity Provider through a configured connection.
- The user authenticates successfully.
- The ID Token and/or Access Token is passed through the Rules pipeline, then sent to the app.
What can I use Rules for?
Among many possibilities, rules can be used to:
- Enrich user profiles: query for information on the user from a database/API, and add it to the user profile object.
- Normalize attributes from different providers beyond what is provided by Auth0.
- Reuse information from existing databases or APIs for migration scenarios.
- Keep a white-list of users and deny access based on email.
- Notify other systems through an API when a login happens in real-time.
- Enable counters or persist other information. For information on storing user data, see: Metadata in Rules.
- Modify tokens: Change the returned scopes of the Access Token and/or add claims to it, and to the ID Token.
A Rule is a function with the following arguments:
user: the user object as it comes from the identity provider. Check out the User Object in Rules page for a list of the available user properties.
context: an object containing contextual information of the current authentication transaction, such as the user's IP address, application, or location. Check out the Context Object in Rules page for a list of the available context properties.
callback: a function to send potentially modified tokens back to Auth0, or an error. Because of the async nature of Node.js, it is important to always call the
callbackfunction or else the script will timeout.
Rules execute in the order shown on the Auth0 Dashboard. If a rule depends on the execution of another rule, move the dependent rule lower in the list.
For security reasons, your Rules code executes isolated from the code of other Auth0 tenants in a sandbox.