Use Akamai Supplemental Signals in Actions
Before you start
To use Akamai supplemental signals in Actions, you must:
If you have configured Akamai as a reverse proxy and set it up to send supplemental signals to Auth0, you can use the data provided in those signals in Auth0 Actions.
Supplemental signal object schemas
The akamaiBot
and akamaiUserRisk
objects contain multiple properties you can use to customize your authentication flow.
akamaiBot
The akamaiBot
object contains information provided by Akamai Bot Manager.
Property | Data type | Description | Example |
---|---|---|---|
action |
String | The action of the Akamai bot manager results. | Monitor |
botCategory |
Array of strings | The bot category of the Akamai bot manager results. | ["Web Search Engine Bots"] |
botScore |
Number | The bot score of the Akamai bot manager results. | 90 |
botScoreResponseSegment |
String | The bot score response segment of the Akamai bot manager results. | aggressive |
botnetId |
String | The botnet ID of the Akamai bot manager results. | googlebot |
type |
String | The type of the Akamai bot manager results. | Akamai-Categorized Bot |
akamaiUserRisk
The akamaiUserRisk
object contains information provided by Akamai Account Protector.
Property | Data type | Description | Example |
---|---|---|---|
action |
String | The action of the Akamai user risk assessment. | monitor |
allow |
Number | The allowed status of the Akamai user risk assessment. | 0 |
emailDomain |
String | The email domain of the user. | example.com |
general |
String | The general risk of the Akamai user risk assessment. | { aci: “0”, db: “Chrome 85”, di: “0fc91b5ec42f5a471c16a85e3e388ca57697c1a9”, do: “Mac OX X 10” } |
ouid |
String | The OUID of the user. | m534264 |
requestid |
String | The request ID of the user. | 19e22e |
risk |
String | The risk of the Akamai user risk assessment. | { ugp: “ie/M”, unp: “432/H” } |
score |
Number | The score of the Akamai user risk assessment. | 0 |
status |
Number | The status of the Akamai user risk assessment. | 4 |
trust |
String | The trust of the Akamai user risk assessment. | { udbp: "Chrome85", udfp: "25ba44ec3b391ba4ce5fbbd2979635e254775werwe", udop: "Mac OS X 10", ugp: "FR", unp: "12322", utp: "weekday_3" } |
username |
String | The username of the user. | testuser@example.com |
uuid |
String | The UUID of the Akamai user risk assessment. | 86b37525-8047-4a3c-8d7a-23e99666da05 |
Supported supplemental signals by Action trigger
Trigger | Supplemental signal object(s) | Event object |
---|---|---|
Login |
|
authentication.riskAssessment.supplemental.akamai |
Pre-User Registration | None | N/A |
Post-User Registration | None | N/A |
Send Phone Message | None | N/A |
Post-Challenge | None | N/A |
Post-Change Password | None | N/A |
Credentials Exchange | None | N/A |
Use cases
Revoke a session based on Akamai Account Protector results
Here’s an example of how you could revoke a session based on the akamaiUserRisk.score
property:
exports.onExecutePostLogin = async (event, api) => {
const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;
if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
console.log('User is deemed high risk.');
//This will revoke session cookies to deny login.
api.session.revoke('Session revoked, User risk score is greater than 90.');
}
};
Was this helpful?
Please note the use of the api.session.revoke
method (compared to the api.access.deny
method). Using the revoke
method ensures that if the user refreshes the application, the Akamai supplemental signals are sent with the authentication request and the Action Login trigger flow is executed.
Prompt multi-factor authentication (MFA) based on Akamai Bot Manager results
Here’s an example of how you could enforce MFA based on the akamaiBot.score
property.
Enforce MFA
This Action performs two tasks:
Update app metadata: If the score property exceeds a specified value, record that MFA is required for the session.
Require MFA: If the score property exceeds a specified value or if there is a record in the app metadata indicating MFA is required for the session, enforce MFA.
exports.onExecutePostLogin = async (event, api) => {
const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;
if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
console.log(`Setting app metadata for session id: ${event.session?.id}`);
api.user.setAppMetadata(`mfa_required_${event.session?.id}`, true);
}
if (userRiskHeader?.score && userRiskHeader?.score >= 90 ||
event.user.app_metadata[`mfa_required_${event.session?.id}`]) {
console.log(`Requiring MFA FOR Session id: ${event.session?.id}`);
api.multifactor.enable('any', {allowRememberBrowser: false});
}
};
Was this helpful?
Clean up app metadata
This Action removes session-specific MFA information from app metadata after the user completes MFA successfully.
exports.onExecutePostLogin = async (event, api) => {
const mfaMethod = event.authentication?.methods.find((method) => {
return method.name === 'mfa';
});
if (mfaMethod) {
console.log(`Removing MFA requirement for session id: ${event.session?.id}`);
api.user.setAppMetadata(`mfa_required_${event.session?.id}`, undefined);
}
};
Was this helpful?