Skip to main content
Supplemental Signals is available for Enterprise customers, and you must request the Attack Protection Add-on. Contact Auth0 Sales for more information.

Before you start

To use Akamai Supplmental Signals in Actions, you must:
If you have configured Akamai as a reverse proxy and set it up to send Supplmental Signalsto Auth0, you can use the data provided in those signals in Auth0 Actions.

Supported Supplmental Signals by Action trigger

TriggerSupplemental Signal objectsEvent object
Login
  • akamaiBot
  • akamaiUserRisk
event.authentication.riskAssessment.supplemental.akamai
Pre-User Registration
  • akamaiBot
  • akamaiUserRisk
event.authentication.riskAssessment.supplemental.akamai
Post-User Registration
  • akamaiBot
  • akamaiUserRisk
event.authentication.riskAssessment.supplemental.akamai
Send Phone MessageNoneN/A
Post-Challenge
  • akamaiBot
  • akamaiUserRisk
event.authentication.riskAssessment.supplemental.akamai
Post-Change Password
  • akamaiBot
  • akamaiUserRisk
event.authentication.riskAssessment.supplemental.akamai
Credentials ExchangeNoneN/A

Supplemental Signal object schemas

The akamaiBot and akamaiUserRisk objects contain multiple properties you can use to customize your authentication flow.
akamaiBot
object
akamaiUserRisk
object

Use cases

Here’s an example of how you could revoke a session based on the akamaiUserRisk.score property:
exports.onExecutePostLogin = async (event, api) => {
  const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;
  if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
        console.log('User is deemed high risk.');
        //This will revoke session cookies to deny login.
        api.session.revoke('Session revoked, User risk score is greater than 90.');
    }
};
Please note the use of the api.session.revoke method (compared to the api.access.deny method). Using the revoke method ensures that if the user refreshes the application, the Akamai Supplmental Signalsare sent with the authentication request and the post-login Action flow is triggered.
Here’s an example of how you could enforce MFA based on the akamaiBot.score property.

Enforce MFA

This Action performs two tasks:
  1. Update app metadata: If the score property exceeds a specified value, record that MFA is required for the session.
  2. Require MFA: If the score property exceeds a specified value or if there is a record in the app metadata indicating MFA is required for the session, enforce MFA.
exports.onExecutePostLogin = async (event, api) => {
  const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;

  if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
    console.log(`Setting app metadata for session id: ${event.session?.id}`);
    api.user.setAppMetadata(`mfa_required_${event.session?.id}`, true);
  }

  if (userRiskHeader?.score && userRiskHeader?.score >= 90 ||
      event.user.app_metadata[`mfa_required_${event.session?.id}`]) {
        console.log(`Requiring MFA FOR Session id: ${event.session?.id}`);
        api.multifactor.enable('any', {allowRememberBrowser: false});
  }
};

Clean up app metadata

This Action removes session-specific MFA information from app metadata after the user completes MFA successfully.
exports.onExecutePostLogin = async (event, api) => {
  const mfaMethod = event.authentication?.methods.find((method) => {
    return method.name === 'mfa';
  });

  if (mfaMethod) {
    console.log(`Removing MFA requirement for session id: ${event.session?.id}`);
    api.user.setAppMetadata(`mfa_required_${event.session?.id}`, undefined);
  }
};