When it comes to customer identity and access management (CIAM), notifying various accounts specific events to the customers is paramount. These events could range from creating an account, adding MFA or deleting or deactivating their accounts. Being transparent and laying this data upfront instills trust within the customers and also help identifying security compromises if any.
- Verification emails (using link or code)
- Welcome emails
- Enroll in MFA emails
- Change password emails
- Blocked account emails
- Password breach alert emails
- Verification code for email MFA
- User invitation
Our requirement was fairly simple. We had to send out emails to our customers whenever there was a successful password change activity detected in their account. And since we were using Auth0, we were pretty laid back as we thought it would be straightforward to achieve. Brimming with confidence, when we looked into this, we found that though there is support available for major events, there are still many events for which email templates are not yet available and one such event is Success Change Password (scp) event. Auth0 does have a template for a Success Change Password Request (scpr) event, which is sent along with a password-reset link to reset a password. However, the email template we were interested in, was the one that gets triggered after a password is successfully changed and the one available wasn't of much use to us.
We found that we could rely on the relevant events from Auth0 logs to trigger the notifications. As webhooks allow events to be delivered to an external web server and Auth0 offers several integrations that can automatically push events to third-party, we captured the scp event from Auth0 logs and configured a custom webhook which would push this to an external queue.
We implemented a producer-consumer model where Auth0 would publish events to the queue and then a consumer would listen to this queue, and as a result send out notifications. We had an additional consumer just for the logs, so that we could consume the relevant events. This approach worked out for us as we could easily scale this for other events. We could just add multiple consumers and configure the webhook to listen to multiple events.
The above solution works and is decently extensible, however, the ideal solution would be that Auth0 has customisable email templates which can support any event. For now, the event codes that trigger emails is a subset of all the events mentioned here. It would be really helpful to see a template that can support any event and thereby minimise the need to write additional code. Hope to see this feature soon :).