How to manage Auth0’s rules and hooks deprecation: a shift towards actions

Auth0, a widely-used customer identity management platform, recently made a significant announcement that directly influences their clients and partners when they announced they will be deprecating the popular Rules and Hooks features. Instead, they’re focusing on unifying all extensibility features under a single segment, known as Actions. 

Unfortunately, many customers still depend on certain Auth0 rules that aren’t supported in Auth0’s actions feature, which means navigating new ways to ensure their application’s authentication works as intended.

In this blog post, we’re going to go through the logic behind Auth0’s decision, the potential fallout for their customers, and possible alternatives available with Stytch. 

Background, timeline, and current resources

What were rules?

Auth0’s Rules is a serverless function engine that lets developers insert custom JavaScript code during the authentication process. Given that the Universal Login is hosted, businesses using Auth0 have less direct control over the authentication process. Rules enable them to inject specific logic into this process, such as adding user profile enrichment, enforcing multifactor authentication, or implementing fraud detection.

Why is this happening?

While unpopular with many developers that rely on Auth0’s Rules and Hooks, the aim of this move is to rearchitect its extensibility offering as Auth0 is integrated into the Okta identity platform. Indeed, Okta’s acquisition of Auth0 has been implicated in several noticeable shifts in Auth0’s platform, from day-to-day customer support to larger changes like supported features.

When is this happening?

The deprecation process will start with the gradual removal of Hooks access from new tenants and customers. Existing customers will start experiencing this change starting October 16th, 2023. The final end of life for Rules and Hooks is slated for November 2024 for all customers.

Auth0 made this deprecation announcement roughly eighteen months ahead of the final end of life in order to provide users sufficient time to handle the migration process. During the transitional phase, existing tenants using Rules can expect only maintenance support, and all Rules will be fully removed from all tenants by November 2024.

What support is available?

Clients and partners currently using Auth0’s Rules and Hooks features are encouraged to migrate to the Actions feature as soon as possible. To assist in this transition, Auth0 has provided migrating documentation to facilitate the shift from Hooks to Actions and from Rules to Actions. The online resources include an Actions demo, and a ‘Move to Actions’ page that explores feature comparisons, etc.

Deprecation Concerns

Despite migration resources like those described above, we’ve consistently heard concern from current Auth0 customers about certain limitations present in the new Actions feature, especially pertaining to Actions’ technical limitations that are as of yet either unaddressed or unresolved. 

Those concerns involve account linking limitations, access to customer IdP attributes, custom claims and apps metadata access, and data from third-party IdPs. 

1. Account linking limitation

Actions, in their current state, do not support account linking. Account-linking is a pivotal feature for many businesses that enables seamless sharing and unification of data across multiple user accounts. The absence of this feature from Actions introduces a substantial obstacle for those currently relying on Rules for this functionality.

2. Access to customer IdP attributes

Users have reported that the event.user object in Actions does not include all the custom Identity Provider (IdP) attributes. This limitation can disrupt the user information flow and authentication process as many organizations require all user attributes for application safety and smoother functionality.

3. Custom claims and app metadata access

There are specific cases where users need to map custom SAML (Security Assertion Markup Language) attributes into a user’s app_metadata. This handling is only possible via Rules and not supported in Actions. Losing this functionality poses a challenge for migration as it limits application-to-application user data transfers, crucial for understanding user roles and claims.

4. Data from third-party IdPs

Some users have used Rules to pass data from the access token received from a third-party IdP into the access token generated by Auth0. Currently, there’s no known method to implement this with Actions, which might disrupt user access and role management.

As the migration continues, addressing these technical impediments is of utmost importance to ensure a smooth and problem-free transition for all Auth0 users. While Auth0 has pledged ongoing support throughout the process, addressing these gaps is critical to the shift to Actions satisfying customers’ needs fully.

The decision to deprecate Rules and Hooks is clearly a significant one, reflecting Auth0’s aim to streamline and centralize their features. It’s a bold move, and although it’s caused some concerns, only time will tell whether it’s the right decision. Meanwhile, users of Auth0 that are finding limitations can consider alternatives to Auth0 like Stytch, which integrates auth more tightly with your application to eliminate the need for rules, hooks, or actions.

Stytch vs. Auth0

Unlike Auth0, Stytch is an embedded authentication solution. This means logic that in Auth0 lives within Actions instead lives in our clients’ own backend services, allowing for a tighter integration between your application and your auth logic. This has the added benefits of being able to version control and better test your logic, instead of having to go into the Auth0 dashboard.

For development teams eager to build, troubleshoot, and deploy quickly, the visibility and control of a backend-based system means a lot less time futzing with widgets, and more time spent shipping. Out of the box, Stytch abstracts away most of the complexity that comes with the Auth0 Rules and Hooks deprecation (e.g. secure account deduplication, IdP attribute access, etc.).

On top of our embedded authentication solution, Stytch also offers powerful features like device fingerprinting, a comprehensive suite of authentication products and account takeover prevention, and extra-mile infrastructural features like account deduplication and provider failover that boost your product’s reliability and scalability. 

Learn more about how Stytch stacks up to Auth0, or get started building for free today.