Custom MFA Rule (For 2FA)

Unlock multi-factor authentication with seamless DICE ID platform integration to Auth0. Simplify user authentication and enhance security using DICE ID

Login to Auth0 Dashboard

Go to Auth Pipeline --> Rules --> Create

Set name for rule

In script Block - Add following rule (Replace all variables marked in <> with actual values and Add appropriate Flag in else if condition) :

function (user, context, callback) {

    function base64URLEncode(str) {
        return str.toString('base64')
            .replace(/\+/g, '-')
            .replace(/\//g, '_')
            .replace(/=/g, '');

    var code_verifier = base64URLEncode(crypto.randomBytes(32));

    function sha256(buffer) {
        return crypto.createHash('sha256').update(buffer).digest();

    // PKCE standard Code challenge
    var code_challenge = base64URLEncode(sha256(code_verifier));

    if (context.protocol === "redirect-callback") {
        // If Will be executed after else if condition when User will be redirected to the /continue endpoint

        // Calling vcauth API to obtain JWT from code received in callback
        var axios = require('axios');
        var qs = require('qs');
        var jwt_decode = require('jwt-decode');
        var data = qs.stringify({
            'client_id': '<client_id>',
            'code': context.request.query.code,
            'redirect_uri': '<auth0_continue_endpoint>',
            'code_verifier': code_verifier,
            'grant_type': 'authorization_code'
        var config = {
            method: 'post',
            url: 'https://<vcauth_base_url>/vc/connect/token',
            headers: {
            'authority': '<vcauth_base_url>',
            'accept': '*/*',
            'accept-language': 'en-IN,en;q=0.9',
            'cache-control': 'no-cache',
            'content-type': 'application/x-www-form-urlencoded',
            'dnt': '1',
            'origin': '<auth0-base-url>',
            'referer': '<auth0-base-url>'
            data : data

        .then(function (response) {
            console.log("Axios resp: ",JSON.stringify(;

            // Decoding the JWT to obtain user details
            var decoded = jwt_decode(;
            console.log("Decoded: ",decoded);

            // Validation of User data with JWT verification data will be done here
        .catch(function (error) {

    } else if (user.MFA_ENABLED) { // Customize else if condition as needed
        // Else if will be executed before if condition when User will be logging in directly
        context.redirect = {
            url: `https://<vcauth_url>/vc/connect/authorize?pres_req_conf_id=<pres_conf_id>&client_id=<client_id>&redirect_uri=<auth0_continue_endpoint>&response_type=code&scope=openid%20profile%20vc_authn&code_challenge=${code_challenge}&code_challenge_method=S256&response_mode=query`

return callback(null, user, context);

Save the changes and ensure Rule in enabled

Last updated