Auth0 integration

DataDome Account Protect detects account takeover threats and fake registration and protects you against them.

πŸ“˜

Prerequisites for Account protect

Account protect is separate from bot management and will not be available on your account by default. Please contact your account team to enable it.
This service requires a dedicated API key, which will be available on your dashboard once it is enabled.

Main Concepts

By setting up Auth0 integration, we will be able to collect more business datas (email, social id, ...) during authentication and registration process. We will be able to detect account takeover and fake account created. You can find insight about our detection inside Account Protect Dashboard.

Installation

Step 1 : Configure Auth0 to send Login Event (Successful) to DataDome Account Protect

  • Connect to Auth0 Console
  • Go to Actions > Library and Click on Create Action > Build from scratch

  • Enter name Account Protect - Login, select Trigger Login / Post Login and Runtime Node 18 and click on Create

  • Copy / Paste the following code

Replace line 37FRAUD_API_KEY by your Account Protect Key available in your Dashboard

const axios = require('axios');

/**
 * Handler that will be called during the execution of a PostLogin flow.
 *
 * @param {Event} event - Details about the user and the context in which they are logging in.
 * @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
 */
exports.onExecutePostLogin = async (event, api) => {
  // Filter refresh token event to not send these events to Athos
  if (event.request.query?.prompt === 'none' || event.transaction?.protocol === 'oauth2-refresh-token') {
    return;
  }

  const payload = {
    event: "login",
    account: event.user.email ?? event.user.user_id,
    status: "succeeded",
    module: {
      requestTimeMicros: new Date().getTime()*1000,
      name: "Fraud SDK Auth0",
      version: "1"
    },
    header: {
      addr: event.request.ip,
      method: event.request.method,
      host: event.request.hostname,
      port: 443,
      protocol: "https",
      userAgent: event.request.user_agent,
      clientID: event.client.client_id
    }
  };

  const config = {
    headers: {
      'x-api-key': 'FRAUD_API_KEY',
      'Content-type': 'application/json'
    },
    timeout: 1500,
  };
  try {
    const res = await axios.post('https://account-api.datadome.co/v1/validate/login', payload, config);
    if (res.status === 200 && res.data?.action === 'deny') { // deny login only if return 200 & action = deny.
      // Custom actions
    }
  } catch (error) {
    console.log(error);
  }
};

We need to add a dependency to Axios (as we use it as HTTP Client)

  • Click on Add Dependency

  • Enter axiosin the field name and Click on Create

  • Configuration is now done. You can deploy this new action to your tenant. Click on Deploy

Now, we have to use our new Action (Account Protect - Login) inside your Authentication pipeline

  • Go to Actions > Flows
  • Click on Login

  • Click on Custom on the right panel and move your action in your pipeline

  • Click on Apply

From now on, you will send all login which were successful to DataDome Account Protect

Step 2 : Configure Auth0 to send Registration Event to DataDome Account Protect

  • Connect to Auth0 Console
  • Go to Actions > Library and Click on Create Action > Build from scratch

  • Enter name Account Protect - Registration, select Trigger Pro User Registration and Runtime Node 18 and click on Create

  • Copy / Paste the following code

Replace line 36FRAUD_API_KEY by your Account Protect Key available in our Dashboard

/**
* Handler that will be called during the execution of a PreUserRegistration flow.
*
* @param {Event} event - Details about the context and user that is attempting to register.
* @param {PreUserRegistrationAPI} api - Interface whose methods can be used to change the behavior of the signup.
*/
const axios = require("axios");

exports.onExecutePreUserRegistration = async (event, api) => {


 const payload = {
    account: event.user.email ?? event.user.user_id,
    status: "succeeded",
    module: {
      requestTimeMicros: new Date().getTime()*1000,
      name: "Fraud SDK Auth0",
      version: "1"
    },
    header: {
      addr: event.request.ip,
      method: event.request.method,
      host: event.request.hostname,
      port: 443,
      protocol: "https",
      userAgent: event.request.user_agent,
      clientID: event.client.client_id
    },
      user: {
      id: event.user.email ?? event.user.user_id,
      email:event.user.email
    }
  };

  const config = {
    headers: {
      'x-api-key': 'FRAUD_API_KEY',
      'Content-type': 'application/json'
    },
    timeout: 1500,
  };
  try {
    const res = await axios.post('https://account-api.datadome.co/v1/validate/registration', payload, config);
    if (res.status === 200 && res.data?.action === 'deny') { // deny login only if return 200 & action = deny.
      // Custom actions
    }
  } catch (error) {
    console.log(error);
  }


};

We need to add a dependency to Axios (as we use it as HTTP Client)

  • Click on Add Dependency

  • Enter axiosin the field name and Click on Create

  • Configuration is now done. You can deploy this new action to your tenant. Click on Deploy

Now, we have to use our new Action (Account Protect - Registration) inside your Registration pipeline

  • Go to Actions > Flows

  • Click on Login

  • Click on Custom on the right panel and move action Account Protect Registration in your pipeline

  • Click on Apply

    From now on, you will send all registrations into DataDome Account Protect

Step 3 : Configure Auth0 to send Login Event (Fail) to DataDome Account Protect

You need to configure an Auth0 Stream to DataDome Webhook

  • Go to Monitoring > Streams & click on Create Stream

  • Enter
    • Name: Account Protect - Failed Login
    • Payload url: https://account-api.datadome.co/v1/collect/auth0/log-stream
    • Authorization Token : DataDome Account Protect key available from your Dashboard
    • Content Type : Application/json
    • Content Format :JSON Object
    • Filter by Event Category : Select Login - Failure
      • Don't forget to click on "Apply" to ensure it is taken into account.
  • Click on Save

From now on, you will send all failed login event into DataDome Account Protect

The fail login event are not sent to DataDome Account Protect?

  • Go to Monitoring > Streams & click on Account Protect - Failed Login
  • Select the Health tab

This will allow you to check the last errors received by Auth0 webhook.

In the below example the wrong API key was used: