Guides & tutorials

Custom policies acceptance with Auth0 rules

Download this tutorial scenario and import it in your workspace
Download scenario
Table of contents

Have you updated your privacy policies and do you need to collect users' consent again? If you need to require custom privacy policies from your users before allowing them access to your application, this tutorial is for you.

This use case requires all your users to agree to a new terms of service form. It consists of a custom form to request acceptance of the new conditions which will be displayed, after logging in, to the users who have not yet accepted it.

Prerequisites

  • An active Auth0 account to authenticate users. You can sign up for free here if you don't have one.
  • An active Arengu account to build the progressive profiling form and its server-side logic. You can sign up for free here if you don't have one yet.

What are we going to build?

A form to display the new terms and conditions, and a legal field to accept them that will be displayed after the users logs in.

This form will be linked to a flow that will check the session token and update the app metadata in Auth0.

1. Add the Auth0 rule

First of all, add the policy acceptance rule of Arengu to the Auth0 dashboard. For this:

  • Go to your Auth0 Dashboard > Marketplace.
  • Search for Arengu Policy Acceptance.
  • Click on the rule and then on the Add integration button.

You will be automatically redirected to the rule edition screen. Notice that if you click any of the three buttons at the bottom of the Edit Rule screen to save and activate it. After installing the rule, Auth0 will skip it until you add the configuration we explain below.

2. Configure the Auth0 Rule

As the page notification indicates, the next step is to add the following keys:

  • SESSION_TOKEN_SECRET: A long, random string that we will use to sign and verify JSON Web Tokens in Arengu.
  • ARENGU_POLICIES_FORM_URL: The URL that contains an embedded form or with a hosted form page in Arengu too.

To add them, go to Auth0 Dashboard > Auth Pipeline > Rules and click on the Add button of the Settings section. To learn more, take a look at the Rules Configuration page.

Check that the rule is enabled and then go back to the Edit rule page. Check the script to include the condition that the user must meet for the form to be displayed or not. You will find them on line 25 and it must match the ID that we will assign to the policy acceptance field in Arengu. In this case, we will use terms_accepted as ID.

Once you have added and saved the configuration, Auth0 will process all logins for your tenant using this Rule. Before activating the integration in production, make sure you have configured all components correctly and verified on a test tenant.

3. Create the form in Arengu

Go to the form editor and add the required field. In this case, we will add a Legal field with our terms and conditions. To set up this field:

  • ID: change the ID to terms_accepted. This ID must be exactly the same that we have included in the rule script.
  • Required: enable the checkbox to set it up as required.

Add also two hidden fields by clicking on the eye icon to open their settings:

  • Hidden fields: create a hidden field with the key state and another one with session_token. Arengu will automatically pre-fill them with the corresponding URL params values.

Click on the ending screen and enable the redirection section

  • Redirect URL: add {{state.redirectUrl}} as value. We will link a flow that stores this variable in the next section.

Click on the Flows tab on the light menu, create a flow linked to the first step of the form by clicking on the plus icon and publish the changes.

4. Build the flow in Arengu

Go to the flow editor and start building the flow by adding a Verify JSON web token action:

To set it up:

  • ID: change the ID to verifyJwt to simplify referencing it.
  • Token: add {{input.body.session_token}} to reference the session_token parameter we are receiving from the hidden fields of the form.
  • Secret or private key: add your Auth0 SESSION_TOKEN_SECRET.
  • Issuer: add the host from where you will receive the requests (eg. 'https://arengu.eu.auth0.com/`).

Add an If/then condition action to perform conditional logic if the JWT is valid or not. The settings for this action are these:

  • Condition: reference the {{verifyJwt.valid}} variable on the first input and choose is true as evaluation criteria.

Include a Show error message action in the False branch to display it on the form in case the JWT validations fails (eg. wrong settings, expired JWT, altered JWT, etc).

Then add a Sign JSON web token action to the True branch to sign the provided user information.

Set up this action as follows:

  • ID: change the ID to signJwt to simplify referencing it.
  • Algorithm: choose HS256.
  • Secret or private key: add your Auth0 SESSION_TOKEN_SECRET.
  • Issuer: add the host from where you will receive the requests (eg. 'https://arengu.eu.auth0.com/`).
  • Subject: reference the {{verifyJwt.payload.sub}} variable to recall the verified sub of the Verify JSON web token output.
  • Expires in: add a short expiration time (eg. 15-30 seconds) to avoid replay attacks.
  • Payload: we will add our custom claims inside the other property and the Auth0 state on the root of the body::
{
  "other": {
    "terms_accepted": true
  },
  "state": "{{input.body.state}}"
}

Add a Store state variable to store a custom variable that we will reuse in our form. To set up this action:

  • Data fields: add redirectUrl as first value and https://YOUR_TENANT_SUBDOMAIN.auth0.com/continue?state={{input.body.state}}&session_token={{signJwt.token}} as second value. This URL will be used to redirect the user with the state parameter we've received in the form, and the token parameter we've generated in the previous flow action.

Then close the True branch of the flow with a Submit the form action that will display our ending screen that redirects the user using the previously generated variable.

Finally, publish the changes.

Preview, test and debug it

To check if everything is working properly: 

  • Go to Auth0 Dashboard > Authentication > Database.
  • Click on the three dots icon of the database connection > Try.

This will open the Auth0 login page where you can test the use case:

Once you have tried it, you can also check if the data has been updated this way:

  • Go to Auth0 Dashboard > User management > Users.
  • Click on the user that you used to test the form.
  • Check the app_metadata section to verify that it has been updated.

If you want to try it again, you can manually delete this data and re-launch the test.

If it has not worked properly, you can check the possible errors in Auth0 Dashboard and in the Executions tab of the flow in Arengu’s editor.



Back to the guides & tutorials

You might like to read

Custom signup forms with PrestaShop

Easily create registration forms, login forms or even passwordless forms without coding and embed them in your PrestaShop site.

Multi-factor authentication with WordPress

Reinforcing the security of your WordPress back office is easier and faster than you might imagine. Learn how to use our plugin.

Prefill form fields with data enrichment using Clearbit

Learn how to use Clearbit to enrich and autocomplete data in your forms. A common use case to optimize your registration and sales flows.

ID verification onboarding flow with Passbase & Firebase

Learn how to set up a signup flow with ID verification with Passbase & Firebase. Especially useful for KYC flows with biometric authentication.

Signup form with phone verification

Easily build and set up a custom registration form with phone verification for a custom API.

Progressive profiling with account complete and custom API

Learn how to create a login flow with progressive profiling in order to collect new user's data the next time they authenticate with your API.

See more tutorials

Getting started with Arengu

Arengu allows you to build all your user flows connected to your current stack, and avoids coding all the UI, complex integrations, validations or logic from scratch. Try it for free and start building faster and scaling your application needs as they grow.

Book a demoTry it free

Product

FlowsFormsPagesIntegrationsUse casesPricing

Company

CareersTerms & conditionsPrivacy policyCookies policy

Resources

BlogOnboarding academySignup flow examplesEmail templates

Help

DocumentationSchedule a demoContact us