Custom MFA Rule (For 2FA)

Unlock multi-factor authentication with seamless DICE ID platform integration to Auth0. Simplify user authentication and enhance security using DICE ID

Go to Auth Pipeline --> Rules --> Create

Set name for rule

In script Block - Add following rule (Replace all variables marked in <> with actual values and Add appropriate Flag in else if condition) :

function (user, context, callback) {

    function base64URLEncode(str) {
        return str.toString('base64')
            .replace(/\+/g, '-')
            .replace(/\//g, '_')
            .replace(/=/g, '');
    }

    var code_verifier = base64URLEncode(crypto.randomBytes(32));

    function sha256(buffer) {
        return crypto.createHash('sha256').update(buffer).digest();
    }

    // PKCE standard Code challenge
    var code_challenge = base64URLEncode(sha256(code_verifier));

    if (context.protocol === "redirect-callback") {
        // If Will be executed after else if condition when User will be redirected to the /continue endpoint
        console.log(user);
        console.log(context);

        // Calling vcauth API to obtain JWT from code received in callback
        var axios = require('axios');
        var qs = require('qs');
        var jwt_decode = require('jwt-decode');
        var data = qs.stringify({
            'client_id': '<client_id>',
            'code': context.request.query.code,
            'redirect_uri': '<auth0_continue_endpoint>',
            'code_verifier': code_verifier,
            'grant_type': 'authorization_code'
        });
        var config = {
            method: 'post',
            url: 'https://<vcauth_base_url>/vc/connect/token',
            headers: {
            'authority': '<vcauth_base_url>',
            'accept': '*/*',
            'accept-language': 'en-IN,en;q=0.9',
            'cache-control': 'no-cache',
            'content-type': 'application/x-www-form-urlencoded',
            'dnt': '1',
            'origin': '<auth0-base-url>',
            'referer': '<auth0-base-url>'
            },
            data : data
        };

        axios(config)
        .then(function (response) {
            console.log("Axios resp: ",JSON.stringify(response.data));

            // Decoding the JWT to obtain user details
            var decoded = jwt_decode(response.data.id_token);
            console.log("Decoded: ",decoded);

            // Validation of User data with JWT verification data will be done here
        })
        .catch(function (error) {
            console.log(error);
        });

    } else if (user.MFA_ENABLED) { // Customize else if condition as needed
        // Else if will be executed before if condition when User will be logging in directly
        context.redirect = {
            url: `https://<vcauth_url>/vc/connect/authorize?pres_req_conf_id=<pres_conf_id>&client_id=<client_id>&redirect_uri=<auth0_continue_endpoint>&response_type=code&scope=openid%20profile%20vc_authn&code_challenge=${code_challenge}&code_challenge_method=S256&response_mode=query`
        };
    }

return callback(null, user, context);
}

Save the changes and ensure Rule in enabled

PreviousLogin using OIDC (First Factor Authentication)NextDICE ID SDK

Last updated 1 year ago

function (user, context, callback) { function base64URLEncode(str) { return str.toString('base64') .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); } var code_verifier = base64URLEncode(crypto.randomBytes(32)); function sha256(buffer) { return crypto.createHash('sha256').update(buffer).digest(); } // PKCE standard Code challenge var code_challenge = base64URLEncode(sha256(code_verifier)); if (context.protocol === "redirect-callback") { // If Will be executed after else if condition when User will be redirected to the /continue endpoint console.log(user); console.log(context); // Calling vcauth API to obtain JWT from code received in callback var axios = require('axios'); var qs = require('qs'); var jwt_decode = require('jwt-decode'); var data = qs.stringify({ 'client_id': '<client_id>', 'code': context.request.query.code, 'redirect_uri': '<auth0_continue_endpoint>', 'code_verifier': code_verifier, 'grant_type': 'authorization_code' }); var config = { method: 'post', url: 'https://<vcauth_base_url>/vc/connect/token', headers: { 'authority': '<vcauth_base_url>', 'accept': '*/*', 'accept-language': 'en-IN,en;q=0.9', 'cache-control': 'no-cache', 'content-type': 'application/x-www-form-urlencoded', 'dnt': '1', 'origin': '<auth0-base-url>', 'referer': '<auth0-base-url>' }, data : data }; axios(config) .then(function (response) { console.log("Axios resp: ",JSON.stringify(response.data)); // Decoding the JWT to obtain user details var decoded = jwt_decode(response.data.id_token); console.log("Decoded: ",decoded); // Validation of User data with JWT verification data will be done here }) .catch(function (error) { console.log(error); }); } else if (user.MFA_ENABLED) { // Customize else if condition as needed // Else if will be executed before if condition when User will be logging in directly context.redirect = { url: `https://<vcauth_url>/vc/connect/authorize?pres_req_conf_id=<pres_conf_id>&client_id=<client_id>&redirect_uri=<auth0_continue_endpoint>&response_type=code&scope=openid%20profile%20vc_authn&code_challenge=${code_challenge}&code_challenge_method=S256&response_mode=query` }; } return callback(null, user, context); }