DAE still shows an option for an action in the actions drop down even if the user is not allowed to do it. For example, If change:password is restricted It should not even show that as an option on the UI. Showing the option and then showing an error after a user attempts that operation is not a good user experience.

We can currently login as end users, but ideally dashboard admins should also be able to login to the extension.

We need Delegated Admin users to have the ability to mark user's emails as verified. Customers are sometimes unable to get their verification emails and it would be useful if our Delegated Admin reps could mark their account as "verified" similar to the admin dashboard.

Hello - what do we need to change to use Passwordless login for the dash please? Our users do not have passwords...

Thanks

Hello,

When I try to update a user using the new custom fields introduced in v3 I get the following Error:

alertOh snap! An error occurred while changing the users fields: Payload validation error: 'Expected type object but found type null'.

My Settings Query Hook is configured as following:

function(ctx, callback){

  return callback(null, {
    userFields: [
        {
          "property": "app_metadata.customer_number", // required
          "label": "Customer Number",
          "display": true,
          "edit": {
              "display": true,
              "type": "text",
              "component": "InputText",
              "disabled": false
          },
          "create": {
              "display": true,
              "type": "text",
              "component": "InputText",
              "disabled": false
          }
      },
      {
          "property": "app_metadata.customer_groups",
          "label": "Customer Groups",
          "display": (function display(user, value, languageDictionary) {
              return user.app_metadata.customer_groups.join(', ')
                .replace('group1', 'Group One')
                .replace('group2', 'Group Two')
                .replace('group3', 'Group Three')
          }).toString(),
          "edit": {
            "type": "select",
            "component": "InputMultiCombo",
            "options": [
                {"value": "group1", "label": "Group One"}, 
                {"value": "group2", "label": "Group Two"},
                {"value": "group3", "label": "Group Three"}
            ],
            "disabled": false
          },
          "create": {
            "type": "select",
            "component": "InputMultiCombo",
            "options": [
                {"value": "group1", "label": "Group One"}, 
                {"value": "group2", "label": "Group Two"},
                {"value": "group3", "label": "Group Three"}
            ],
            "disabled": false
          } 
      }
    ]
  });

}

BR,
Pascal

Logout should:

• Clear any local state
• Redirect to the logout endpoint in Auth0
• Send the user back to the extension

In the Membership Hook configuration, the tab is referred to as Memberships Hook, but the copy states Query instead of Hook. Likewise for the save button.

When installing the extension, we can automate the following:

• Make sure the client is using RS256
• Set the callback URLs for the client

I just installed this extension and am very excited about it! However, after logging in, I'm getting the following error:

Any ideas about where to start debugging this?

Current page size is only 10 records that makes it hard to navigate large lists of users. A standard dropdown box with options of 10, 20,... ,200 will be very useful.

I recently setup this Extension in our Auth0 account. One use case of us for this extension, is the ability to enable viewing of the Logs for a certain user group of our staff. Anyway, after installing and trying it out, I realised that most of the Logs from other Clients are shown as "Unknown Event" and therefore breaks our use case.

Can you point out a bit why this is happening and whether maybe we only miss some configuration for that? If there is a way to make that working and it is just missing some code functionality can you please give some hint to where and how it should be implemented? It is an option for us to extend the functionality on our own and to create a PR for that.

After some more checking I figured out that there is also the same for "Unknown Error". Just to make it sure, in the Auth0 Dashboard I can see the proper error messages etc.

The log types displayed in DAE should use the same icons for each logtype as found in manage.

The extension is currently showing the tenant name in the header. Instead we should show the email address or username if logged in as an end user.

I've logged in with the same user in chrome and firefox at the same time and in chrome it works fine but in Firefox I get this message: "Oh snap! You got an error! An error occurred while retrieving list of users: Forbidden! Sorry, you have no permissions to do this.". How's that possible?

Once a user is added to one or more "groups", this cannot be changed.

Instead of using its own components, it should use the extension UI library

Sometimes when logging in, the callback URL ends with 2 slashes. This causes a callback URL issue.

The extension allows you to provide your own CSS file but offers to docs on what the expected CSS class names are and how they are used.

When a user authenticates, but lacks the necessary roles the user is allowed to enter the UI (it is just a SPA after all). However all the API calls return 403s as expected. It would be better for the user, if missing necessary scopes (or receive 403s since the access token is opaque to the client) to view a different UI indicating they are not fully authorized.

Optionally, a rule could be created preventing authentication if missing necessary rules.

Setting up the extension is currently very complex due to the need to copy paste things between the docs and the extension.

We should provide a template picker (similar to database connections) where users can pick a predefined template.

Upon installation we should also fill all hooks with default templates.

The current documentation shows how to manually handle the authorization aspect. We should additionally document how the Delegated Admin extension can work hand in hand with the Authorization extension.

In Management Dashboard under User Details tab, there is detailed information about the MFA (e.g. for SMS it's masked phone number, authenticator, recovery code, etc).

In DAE User Information tab, it just shows an abstract multifactor type of "guardian".

When I write a hook, even a stupidly simple one like:

function(ctx, callback) {
  return callback();
}

I get the following error in the UI:

It seems to happen no matter which hook I set up.

Is there a bug somewhere?

The Users list only displays a maximum of 100 users. Could there be a paging mechanism at the bottom?
Also, if the User Management page in the main dashboard shows 10 users at a time, could the Deleated Admin dashboard also show 10 users per page?

• Update auth0-extension-express-tools to have the proper dashboard admins login
• Implement a /login endpoint for end users which generates a state
• Support /login?connection=foo which then redirects to /authorize?connection=foo to support multiple database connections

The logType sepft (Type = Success Exchange, Description = Password for Access Token) is shown as Unknown Error in the logs of a user detail view. In the logs of the Auth0 tenant itself at https://manage.auth0.com/#/logs the same event is shown as Success Exchange with the description Password for Access Token. When investigating this issue it got to our attention that the file logTypes.js does not include the sepft event. This may be the reason for not being mapped correctly and ending up in the default case as Unknown Error.

Can we show the users brute force blocking state and a way to unblock? It seems, there is no reason why we don't support as management API covers checking the user state and unblocking them.

Related P1 - ZD 32716

Common requirement for B2B customers is the ability to invite a user via the delegated admin extension.

Purposed flow

Add a new "create user" DAE role - users with this role will see the existing "create user" button. If you don't have this role, you lose the ability to create users.

When clicking "invite user", the create user user modal pops up with different title and the confirmation button now says "invite user".

There is a new "invites" tab at the top (permissions undecided atm), its in between "users" and "logs"

Can view invites. Resend invite links and cancel invites on this page.

When sending an invite, an email is sent to the invitee with a link to accept.

When accepting an invite, the invitee will either be prompted for a password (for password connection) or redirected to login if via federation.

Users are redirected back to an application after accepting an invite - configured via a redirect url in settings.

All CRUD operations on invites are done using an invite hook. A default implementation is provided which uses webtask storage

The HTML for the invite email and the accept invite page are editable via configuration hooks (similar to email templates and HLP)

Email settings are pulled via management api from auth0 tenant.```

The Hook contract area of the Create Hook section of the docs shows the following value for the connection:

• connection: The name of the user.

The description should probably read: The name of the connection

Eg. sample web hook documented in hooks section for remote calls with require library throws error and fails to load the library.

Logs from realtime webtask logs;

error:  Error: Cannot find module 'request'     at Function.Module._resolveFilename (module.js:325:15)

The index template needs to be fixed. When trying to render the page a css link is generated as "undefined".

and logs a warning to console:

1. Search users
2. Switch to logs
3. Switch back to users
4. Search filters are still enabled but the input value has disappeared (state is not preserved)

This makes it seem as though you have less users than you actually do unless you force refresh the page or reset the filter

https://github.com/auth0/auth0-extensions/pull/330#pullrequestreview-135877656

Support views where end users can login and then:

• Change their password
• Maybe change some basic info (like phone number, ...)

When logging in the extension will redirect to the hosted login page. When a customer is using multiple Database Connections it would be better to specify the name of the connection.

So upon installing the extension, we need to provide the name of the connection (eg: "Username-Password-Authentication" to use when logging in).

Under User Information > Memberships lists all available memberships irrespective ones this user is a member of:

Currently we have a request for polish specifically but it would be good that this could be translated to other languages too.

When I run yarn, I get an error reporting that the engine node is incompatible with this module. Expected version 6.9.1

This is in [email protected]

If I change the engine requirement to >6.9.1, I then get an error in [email protected].

Use the new authentication middleware available in there

Followed the instructions on the auth0 page but keep getting the error:

Oh snap! You got an error!

An error occurred while retrieving list of users: Forbidden! Sorry, you have no permissions to do this.

I created and tested my own rule which adds the correct roles to a user.

function (user, context, callback) {
  if (context.clientID === 'xx') {
    if (user.email === 'xx' || user.email === 'xx') {
      context.idToken.roles = ['admin', 'guest'];
    
      user.roles = user.roles || [ ];
      user.roles.push('Delegated Admin - Administrator');
      return callback(null, user, context);
    } else {
        context.idToken.roles = ['guest'];
    }
    
    return callback(new UnauthorizedError('You are not allowed to use this application.'));
  }
  callback(null, user, context);
}

I get this error message: The url "https://leandro.eu.webtask.io/auth0-delegated-admin/login" is not in the list of allowed callback URLs: https://leandro.us.webtask.io/auth0-delegated-admin/login.
Please go to the Application Settings page and make sure you are sending a valid callback url from your application.

We are using the Management API in order to deploy the configuration for our Auth0 tenant based on a repository that are putting under version control. This means that we could recreate our Auth0 tenant without a big hassle from scratch and that we are able to follow changes within the configuration through a commit log.

I wanted to ask whether there is a way to achieve the same for Hooks inside this extension? The same question is also valid for the whole extension itself, as there seems to be no endpoint for them in the Management API.

When setting the Delegated Admin client to OIDC Conformant it fails to login. The login is successful as per Auth0 logs but the application flicks you back to the login screen.

OIDC Conformant is now on by default which means this extension should probably follow the OIDC spec.

When editing a user's profile, resetting their password or changing any property of the user, the modal dialog that shows up displays a disabled dropdown of the connection. In my setup there is only one connection so according to the docs, this dropdown should not even be visible.

Even without any configured hooks, this is the case. Please see the screenshot in #154 for a reference.

The Auth0 dashboard allows you to mark a user's email address as being verified. This is an action we also need in the dashboard.

Allow direct editing of user_metadata and app_metadata (similar to the management console), ideally through role-based access control measures (additional roles for user and app metadata editing).

Obviously direct editing is error prone and should only be used by properly trained and experienced support staff, but it is a requirement for us. We have a few senior support staff who have access to the entire management console just so they can edit metadata. We have a stalled project to build our own equivalent of the DA dashboard with metadata editing capabilities, but it would be great if the extension supported it natively.

I'm currently running the built in auth0 delegated administration extension, but I want a custom domain. Is this codebase the same extension? Do I just run this on my own server and hook it up via the client Id and secret from my auth0 account?

Eg: Phone Number.

We also need custom validation for this.

When entering the Reset Password UI for a user, a required field for the application client is shown. Is this exposing unintended application client names to the user?

I am using the version 3.4 of the extension in the US.

This feature would involve two changes:

Controlling access to the DAE dashboard

First, instead of driving access to the DAE dashboard via an ID Token with a custom "roles" claim, use an OAuth Access token that carries the required permissions.

Some considerations:

• This would require that a custom "Delegated Admin" API is also configured in Auth0. Not sure if the user should create this ahead of time and configure its identifier value in the extension configuration variables on creation or if the extension can simply create it.
• At a minimum, the API would need to define permissions that map to the four existing DAE "roles": User, Administrator, Auditor, Operator so the dashboard behavior can be driven accordingly.
  • NOTE: We should strive to make the DAE be permission-based (vs. role based) so that admins can define their own roles in Auth0 that map to these permissions, just like they would with other custom APIs they define.
• We need to decide how to transmit permissions in the access token. Either via the scope claim or permissions claim (if the Add Permissions in the Access Token flag is true for the API). It might be simpler to only use the later since the DAE wouldn't need to request scopes in the /authorize call.

Support RBAC role assignment of managed users

Currently, the DAE only allows updates of a user's profile (eg. user_metadata and app_metadata). But for proper RBAC support, we'd need a way for the hooks to be instructed to set a user's RBAC roles, which is done external to their profile. It seems like we could provide an option for the "membership" capability to simply leverage the RBAC roles defined in the tenant. However, the Memberships Hook will still be important to filter the possible list of roles a given admin can assign. Likewise, the Write Hook will need to enforce this.