Docs

Context Object in Rules

The context object stores contextual information about the current authentication transaction, such as the user's IP address, application, or location.

Properties of the context object

The following properties are available for the context object.

context.tenant A string containing the name of the tenant
context.clientID The client id of the application the user is logging in to.
context.clientName The name of the application (as defined on the dashboard).
context.clientMetadata An object for holding other application properties. Its keys and values are strings.
context.connectionID A string containing the connection's unique identifier
context.connection The name of the connection used to authenticate the user (such as: twitter or some-google-apps-domain)
context.connectionStrategy The type of connection. For social connection connectionStrategy === connection. For enterprise connections, the strategy will be waad (Windows Azure AD), ad (Active Directory/LDAP), auth0 (database connections), and so on.
context.connectionOptions An object representing the options defined on the connection. connectionOptions.tenant_domain is a string containing the domain being used for authentication when using an Enterprise connection. connectionOptions.domain_aliases is an array containing the optional domains registered as aliases in addition to the primary domain (specified in the connectionOptions.tenant_domain property).
context.connectionMetadata An object representing metadata defined on the connection. Its keys and values are strings.
context.samlConfiguration An object that controls the behavior of the SAML and WS-Fed endpoints. Useful for advanced claims mapping and token enrichment (only available for samlp and wsfed protocol).
context.protocol

The authentication protocol. Possible values:

  • oidc-basic-profile: most used, web based login
  • oidc-implicit-profile: used on mobile devices and single-page apps
  • oauth2-resource-owner: user/password login typically used on database connections
  • oauth2-resource-owner-jwt-bearer: login using a bearer JWT signed with user's private key
  • oauth2-password: login using the password exchange
  • oauth2-refresh-token: refreshing a token using the Refresh Token exchange
  • samlp: SAML protocol used on SaaS apps
  • wsfed: WS-Federation used on Microsoft products like Office365
  • wstrust-usernamemixed: WS-trust user/password login used on CRM and Office365
  • delegation: when calling the Delegation endpoint
  • redirect-callback: when a redirect rule is resumed
context.stats An object containing specific user stats, like stats.loginsCount. Note that any of the counter variables returned as part of the stats object do not increase during silent authentication (as when prompt=none).
context.sso

This object will contain information about the SSO transaction (if available)

  • with_auth0: when a user signs in with SSO to an application where the Use Auth0 instead of the IdP to do Single Sign On setting is enabled.
  • with_dbconn: an SSO login for a user that logged in through a database connection.
  • current_clients: client IDs using SSO.
context.accessToken An object representing the options defined on the Access Token. accessToken.scope is an array containing permissions in string format and can be used to change the Access Token's returned scopes. You can also use this object to add custom namespaced claims to the Access Token.
context.idToken An object representing the options defined on the ID Token. Used to add custom namespaced claims to the ID Token.
context.original_protocol After a redirect rule has executed and the authentication transaction is resumed, this property will be populated with the original protocol used to initiate the transaction.
context.multifactor An object representing the multifactor settings used in implementing contextual MFA.
context.redirect The object used to implement the redirection of a user from a rule.
context.sessionID An internal identification for the authentication session. Value is kept only if prompt=none is used in the authorization request. Note that the session ID can change after rule execution on other flows, so the value available in context.sessionID might not match the new session ID that the user will receive. This makes this value only meaningful when prompt=none is used.
context.request

An object containing useful information of the request. It has the following properties:

  • userAgent: the user-agent of the application that is trying to log in.
  • ip: the originating IP address of the user trying to log in.
  • hostname: the hostname that is being used for the authentication flow.
  • query: an object containing the querystring properties of the login transaction sent by the application.
  • body: the body of the POST request on login transactions used on oauth2-resource-owner, oauth2-resource-owner-jwt-bearer or wstrust-usernamemixed protocols.
  • geoip: an object containing geographic IP information. It has the following properties:
    • country_code: a two-character code for the country associated with the IP address
    • country_code3: a three-character code for the country associated with the IP address
    • country_name: the country name associated with the IP address
    • city_name: the city or town name associated with the IP address
    • latitude: the latitude associated with the IP address.
    • longitude: the longitude associated with the IP address.
    • time_zone: the timezone associated with the IP address.
    • continent_code: a two-character code for the continent associated with the IP address.
context.primaryUser The unique user id of the primary account for the user. Used to link user accounts from various identity providers.
context.authentication

An object containing information related to the authentication transaction with the following properties:

  • methods: an array of objects containing the authentication methods a user has completed during their session. For example, a user that has completed a password-based authentication followed by MFA may have the following methods:

The method objects will contain the following properties:

  • name: a string representing the name of the authentication method that has been completed. It can be one of the following values (additional values may be supported in the future):
    • federated: a social or enterprise connection was used to authenticate the user
    • pwd: a database connection was used to authenticate the user
    • sms: a Passwordless SMS connection was used to authenticate the user
    • email: a Passwordless Email connection was used to authenticate the user
    • mfa: the user completed a mulifactor authentication
  • timestamp: an integer indicating the time in seconds at which the authentication method took place in Unix Epoch time

You can see a sample use case of the context.authentication.methods property in the Require MFA once per session Rule.

context.authorization

An object containing information related to the authorization transaction with the following properties:

  • roles: an array of strings containing the names of a user's assigned roles. You can see a sample use case using the context.authorization.roles property to add roles to tokens in Sample Use Cases: Rules with Authorization.