Mark the current token exchange as denied.If the request is being denied due to an invalid subject token, we recommend that api.access.rejectInvalidSubjectToken be used instead,
to distinguish between brute force attempts on the subject token, and other reasons to deny the request.
A human-readable explanation for rejecting the token exchange request.
Report incorrect code
Copy
Ask AI
exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // if user is authorized, go on as indicated here};
Mark the provided subject token from the request as invalid. This will cause the request to be
rejected with an “invalid_request” error code.This will signal to the Attack Protection features that an invalid subject token has been provided,
so that protections to prevent brute force attacks on the subject token can be applied.
A human-readable explanation for rejecting the token exchange request.
Report incorrect code
Copy
Ask AI
exports.onExecuteCustomTokenExchange = async (event, api) => { try { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // set the user for the transaction api.authentication.setUserById(subject_token.id); } catch (error) { if (error.message === 'Invalid Token') { // If specifically the problem is the subject_token is invalid console.error('Invalid Token error'); api.access.rejectInvalidSubjectToken('Invalid subject_token'); } else { // if there is any other unexpected error, throw a server error throw error; } }};
Indicate the user corresponding to the subject_token, by providing the userId. The token exchange request will issue tokens for this user.
This must be an existing user.
Note: Exactly one of api.authentication.setUserByConnection api.authentication.setUserById must be called by the Custom Token Exchange action.
exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // 3. Set the user for the transaction api.authentication.setUserById(subject_token.sub); return;};
Indicate the user corresponding to the subject_token, by providing a connection and user attributes.
The token exchange request will issue tokens for this user.This can be either an existing user, or a new user. If the user does not exist, it will be created.
The user_id property of the user_profile will be used to determine if the user already exists.Note: Exactly one of api.authentication.setUserByConnection api.authentication.setUserById must be called by the Custom Token Exchange action.
The user’s profile attributes, including user_id, and optionally other attributes such as email, name, etc.The user_id field is required, and should be the unique identifier of the user within the connection;
this will be used to determine if the user exists or should be created. In existing users, this user_id
can be found by inspecting the identities array of the normalized user profile.If the user already exists, the following user attributes cannot be updated: email, email_verified, phone, phone_verified, username.
If these do not match the existing user, an error will be returned.
Whether this email address is verified (true) or unverified (false). User will receive a verification email after creation if email_verified is false or not specified.
Options to control the behavior of the setUserByConnection command.
creationBehavior - behavior to apply if no user with the specified user_id exists in the connection.
Can be ‘create_if_not_exists’, which will cause a new user to be created using the supplied user attributes;
or ‘none’, which will result in no user being created and an error being returned if no user exists.
updateBehavior - Behavior to apply if a user with specified user_id already exists in the connection.
Can be ‘replace’, which results in the existing user’s attributes being replaced with the specified
user attributes; or ‘none’ which means the existing user will not be modified.
Behaviour to apply if no user with the specified user_id exists in the connection. Can be ‘create_if_not_exists’, which will cause a new user to be created using the supplied user attributes; or ‘none’, which will result in no user being created and an error being returned if no user exists.Allowed values: create_if_not_exists, none
Behaviour to apply if a user with specified user_id already exists in the connection. Can be ‘replace’, which results in the existing user’s attributes being replaced with the specified user attributes; or ‘none’ which means the existing user will not be modified.Allowed values: none, replace
Set user by connection with full profile attributes
Report incorrect code
Copy
Ask AI
exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // 3. Set the user for the transaction api.authentication.setUserByConnection( 'My Connection', { user_id: subject_token.sub, email: subject_token.email, email_verified: subject_token.email_verified, phone_number: subject_token.phone_number, phone_verified: subject_token.phone_number_verified, username: subject_token.preferred_username, name: subject_token.name, given_name: subject_token.given_name, family_name: subject_token.family_name, nickname: subject_token.nickname, verify_email: false }, { creationBehavior: 'create_if_not_exists', updateBehavior: 'none' } ); return;};
The ID or name of the organization to set for the user.
Report incorrect code
Copy
Ask AI
exports.onExecuteCustomTokenExchange = async (event, api) => { // 1. Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // 2. Apply your authorization policy on the user const isAuthorized = await authorizeAccess(subject_token.sub); if (!isAuthorized) { api.access.deny('Unauthorized_login', 'User cannot login due to reason: X'); } // 3. Set the organization for the transaction api.authentication.setOrganization('org_xS525r979AS33MSf'); // 4. Set the user for the transaction. You may also use setUserByConnection() api.authentication.setUserById(subject_token.sub); return;};
The value of the metadata property. This may be set to null to remove the
metadata property.
Report incorrect code
Copy
Ask AI
exports.onExecuteCustomTokenExchange = async (event, api) => { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // set the user for the transaction api.authentication.setUserById(subject_token.id); // set user group based on info contained in subject_token api.user.setAppMetadata('group', subject_token.group); return;};
The value of the metadata property. This may be set to null to remove the
metadata property.
Report incorrect code
Copy
Ask AI
exports.onExecuteCustomTokenExchange = async (event, api) => { // Validate subject_token const subject_token = await validateToken(event.transaction.subject_token, jwksUri); // set the user for the transaction api.authentication.setUserById(subject_token.id); // set user preferred_locale based on info contained in subject_token api.user.setUserMetadata('preferred_locale', subject_token.locale); return;};
Retrieve a record describing a cached value at the supplied key,
if it exists. If a record is found, the cached value can be found
at the value property of the returned object.
Store or update a string value in the cache at the specified key.Values stored in this cache are scoped to the Trigger in which they
are set. They are subject to the Actions Cache Limits.Values stored in this way will have lifetimes of up to the specified
ttl or expires_at values. If no lifetime is specified, a default of
lifetime of 24 hours will be used. Lifetimes may not exceed the maximum
duration listed at Actions Cache Limits.Important: This cache is designed for short-lived, ephemeral data. Items may not be
available in later transactions even if they are within their supplied their lifetime.
The absolute expiry time in milliseconds since the unix epoch.
While cached records may be evicted earlier, they will
never remain beyond the the supplied expires_at.Note: This value should not be supplied if a value was also
provided for ttl. If both options are supplied, the
earlier expiry of the two will be used.
The time-to-live value of this cache entry in milliseconds.
While cached values may be evicted earlier, they will
never remain beyond the the supplied ttl.Note: This value should not be supplied if a value was also
provided for expires_at. If both options are supplied, the
earlier expiry of the two will be used.
