Context Object Properties in Rules

The End of Life (EOL) date of Rules and Hooks will be November 18, 2024, and they are no longer available to new tenants created as of October 16, 2023. Existing tenants with active Hooks will retain Hooks product access through end of life.

We highly recommend that you use Actions to extend Auth0. With Actions, you have access to rich type information, inline documentation, and public npm packages, and can connect external integrations that enhance your overall extensibility experience. To learn more about what Actions offer, read Understand How Auth0 Actions Work.

To help with your migration, we offer guides that will help you migrate from Rules to Actions and migrate from Hooks to Actions. We also have a dedicated Move to Actions page that highlights feature comparisons, an Actions demo, and other resources to help you on your migration journey.

To read more about the Rules and Hooks deprecation, read our blog post: Preparing for Rules and Hooks End of Life.

The context object stores contextual information about the current authentication transaction, such as the user's IP address, application, or location.

If you change token content using the context object within a rule, your changes will be available in tokens after all rules have finished running. If your application also requires multifactor authentication or user consent, the user will be prompted before changes in the token are available.

Properties

The following properties are available for the context object.

Property	Description
`context.tenant`	A string containing the name of the tenant.
`context.clientID`	The client id of the application the user is logging in to.
`context.clientName`	The name of the application (as defined on the dashboard).
`context.clientMetadata`	An object for holding other application properties. Its keys and values are strings.
`context.connectionID`	A string containing the connection's unique identifier.
`context.connection`	The name of the connection used to authenticate the user (such as: `twitter` or `some-g-suite-domain`)
`context.connectionStrategy`	The type of connection. For social connection `connectionStrategy` === `connection`. For enterprise connections, the strategy will be `waad` (Windows Azure AD), `ad` (Active Directory/LDAP), `auth0` (database connections), and so on.
`context.connectionOptions`	An object representing the options defined on the connection. `connectionOptions.tenant_domain` is a string containing the domain being used for authentication when using an Enterprise connection. `connectionOptions.domain_aliases` is an array containing the optional domains registered as aliases in addition to the primary domain (specified in the `connectionOptions.tenant_domain` property).
`context.connectionMetadata`	An object representing metadata defined on the connection. Its keys and values are strings.
`context.samlConfiguration`	An object that controls the behavior of the SAML and WS-Fed endpoints. Useful for advanced claims mapping and token enrichment (only available for `samlp` and `wsfed` protocol).
`context.protocol`	The authentication protocol. Possible values: `oidc-basic-profile`: most used, web-based login `oidc-implicit-profile`: used on mobile devices and single-page apps `oauth2-device-code`: transaction using the Device Authorization Flow `oauth2-resource-owner`: user/password login typically used on database connections `oauth2-resource-owner-jwt-bearer`: login using a bearer JWT signed with user's private key `oauth2-password`: login using the password exchange `oauth2-refresh-token`: refreshing a token using the Refresh Token exchange `samlp`: SAML protocol used on SaaS apps `wsfed`: WS-Federation used on Microsoft products like Office365 `wstrust-usernamemixed`: WS-trust user/password login used on CRM and Office365 `delegation`: when calling the Delegation endpoint `redirect-callback`: when a redirect rule is resumed
`context.riskAssessment`	An object containing specific scores (low, medium, high, neutral) for high risk login attempt assessors. See Customize Adaptive MFA with Rules.
`context.stats`	An object containing specific user stats, like `stats.loginsCount`. Note that any of the counter variables returned as part of the `stats` object do not increase during silent authentication (as when `prompt=none`). There are also scenarios where the counter variables might increase yet a rule or set of rules do not execute, as in the case of a successful cross-origin authentication followed by a failed token request.
`context.sso`	This object will contain information about the Single Sign-on (SSO) transaction (if available) `with_auth0`: when a user signs in with SSO to an application where the `Use Auth0 instead of the IdP to do Single Sign-On` setting is enabled (only for legacy tenants). `with_dbconn`: an SSO login for a user that logged in through a database connection. `current_clients`: client IDs using SSO.
`context.accessToken`	An object representing the options defined on the Access Token. You can use this object to add custom namespaced claims to the Access Token. `context.accessToken.scope` can be used to change the Access Token's returned scopes. When provided, it is an array containing permissions in string format. Custom claims will be included in the Access Token after all rules have run.
`context.idToken`	An object representing the options defined on the ID Token. Used to add custom namespaced claims to the ID Token. Custom claims will be included in the ID Token after all rules have run.
`context.multifactor`	An object representing the multifactor settings used in implementing contextual MFA.
`context.redirect`	The object used to implement the redirection of a user from a rule.
`context.sessionID`	An internal identification for the authentication session. Value is kept only if `prompt=none` is used in the authorization request. Note that the session ID can change after rule execution on other flows, so the value available in `context.sessionID` might not match the new session ID that the user will receive. This makes this value only meaningful when `prompt=none` is used.
`context.request`	An object containing useful information of the request. This can also be set to `undefined`. It has the following properties: `userAgent`: the user-agent of the application that is trying to log in. `ip`: the originating IP address of the user trying to log in. We expose IPv6 addresses in our public endpoints (e.g., travel0.us.auth0.com). If a request arrives from a machine that supports IPv6, then this will contain an IPv6 address. If you perform manual IP address manipulation, we suggest you use the ipaddr.js@1.9.0 library. `hostname`: the hostname that is being used for the authentication flow. `query`: an object containing the querystring properties of the login transaction sent by the application. `body`: the body of the POST request on login transactions used on `oauth2-resource-owner`, `oauth2-resource-owner-jwt-bearer` or `wstrust-usernamemixed` protocols. `geoip`: an object containing geographic IP information. It has the following properties: `country_code`: a two-character code for the country associated with the IP address. `country_code3`: a three-character code for the country associated with the IP address. `country_name`: the country name associated with the IP address. `city_name`: the city or town name associated with the IP address. `latitude`: the latitude associated with the IP address. `longitude`: the longitude associated with the IP address. `time_zone`: the timezone associated with the IP address. `continent_code`: a two-character code for the continent associated with the IP address. `subdivision_code`: the ISO 3166-2 code for the top-level subdivision/region. `subdivision_name`: The English name of this subdivision/region.
`context.primaryUser`	The unique user id of the primary account for the user. Used to link user accounts from various identity providers.
`context.authentication`	An object containing information related to the authentication transaction with the following properties: `methods`: an array of objects containing the authentication methods a user has completed during their session. For example, a user that has completed a password-based authentication followed by MFA may have the following methods: `[ { "name": "pwd", "timestamp": 1434454643024 }, { "name": "mfa", "timestamp": 1534454643881 } ]` Was this helpful? / The method objects will contain the following properties: `name`: a string representing the name of the authentication method that has been completed. It can be one of the following values (additional values may be supported in the future): `federated`: a social or enterprise connection was used to authenticate the user `pwd`: a database connection was used to authenticate the user `sms`: a Passwordless SMS connection was used to authenticate the user `email`: a Passwordless Email connection was used to authenticate the user `mfa`: the user completed a multi-factor authentication `timestamp`: an integer indicating the time in seconds at which the authentication method took place in Unix Epoch time You can see a sample use case of the `context.authentication.methods` property in the Require MFA once per session Rule.
`context.authorization`	An object containing information related to the authorization transaction with the following properties: `roles`: an array of strings containing the names of a user's assigned roles. You can see a sample use case using the `context.authorization.roles` property to add roles to tokens in Sample Use Cases: Rules with Authorization.
`context.organization`	Object containing information related to the organization. Includes the following properties: `id`: String containing the ID of the organization with which the user is logging in. `name`: String containing the name of the organization (as defined in the Auth0 Dashboard). `metadata`: Dictionary of string key/value pairs containing other organization properties.

Customize

Context Object Properties in Rules

Properties

Learn more