Skip to main content

Auth0 Custom Log Streams

Overview

Webhooks allow events to be delivered to an external web server. Auth0 offers several integrations that automatically push events to third-party log management and analysis systems. Webhooks are useful for events that are not covered by actions. An example of this is when a user changes email and we need to notify other clients or domains within our middleware.

EventBridge

You can create an event-driven workflow using EventBridge to send our Auth0 tenant logs to targets of our choice. For example Lambda functions, Kinesis streams and so on.

Set up Auth0 for us as the event source

Part of the integration process is to set Auth0 up for use as the event source. This is usually done via the Dashboard but we highly recommend this is achieved using the Auth0 Terraform Provider. More details can be found here.

  1. Create the stream
  2. Create the AWS Event Source by providing your AWS Account ID and AWS Region. Note that the region you select must match the region in which your Amazon EventBridge resides.

Create an event bus

  1. Create an event bus or use an existing. We would recommend creating a new bus just for auth related events.

Create rules

At this point, the events that you send will be made available on your event bus. However, before you can use the data you send to AWS services, you will need to create rules that map those events to specific targets.

Amazon EventBridge uses rules, which are definitions specifying how you want incoming events routed to the desired targets.

Targets are the services, such as AWS EC2 instances, Lambda functions, Kinesis streams, or ECS tasks, that processes the event-driven data that it receives. The data received by targets are JSON-formatted.

A single rule can route to one or more targets (if there are more than one, AWS processes all in parallel).

Testing

Once the intergration is configured you are able to test it via the Auth0 Dashboard.

  1. Go to Dashboard > Monitoring > Streams and click your newly created stream.
  2. Switch to the Health view and confirm that the Stream Status is Active.
  3. Perform an action that creates a tenant log event, like a login, token exchange, or Auth0 Management API call.
  4. Confirm that the event was created in your tenant logs.
  5. Depending on the action and the target configured in AWS you should be able to verify it in your consumer.

Troubleshoot Webhooks

If your webhook isn't working, it can be difficult to troubleshoot and determine what is causing the issue. Webhooks are asynchronous, so testing them can involve you triggering the webhook, waiting, and then checking the response (assuming that you did receive a response).

Here are some steps you can take to debug:

  1. Check Auth0 Dashboard > Monitoring > Logs for helpful messages.
  2. Mock requests using cURL or Postman.

Delivery attempts and retries

Auth0 events are delivered to AWS via a streaming mechanism that sends each event as it is triggered in our system. If EventBridge is unable to receive the event, auth0 will retry up to three times to deliver the event; otherwise, we will log the failure to deliver in our system, and you will be able see these failures in the Health tab for your log stream.

Sensitive Data

Logs can contain sensitive data, such as secrets, PII, etc. It is important to obscure these when ingesting into AWS or any other third party systems.

Resources