fix(access): Use AAL from the matched authz rule#534
Merged
bheesham merged 4 commits intoMay 13, 2026
Conversation
Going back to fix something Copilot complained about but I agreed with. Instead of using the _first_ AAL, or overwriting it at all, we use the one defined in the authz rule which grants access. We do not evaluate all rules, and stop simply at the first one that passes. If none pass, then access is not granted. Jira: Untracked
There was a problem hiding this comment.
Pull request overview
This PR updates Auth0 access rule evaluation so MFA/AAL requirements come from the authorization rule that grants access, supporting different MFA requirements for different groups on the same application.
Changes:
- Defaults AAL separately and assigns required AAL only when a user/group authorization rule matches.
- Stops evaluating access rules after the first successful authorization match.
- Updates logging and comments around access decision behavior.
Comments suppressed due to low confidence (1)
tf/actions/accessRules.js:286
- This break has the same deny-all ordering issue as the authorized-user branch: a later duplicate app entry with no users or groups will no longer deny access, despite the comment above saying any such app should bail out early. Please preserve the deny-all override before granting based on the first matching group rule, or adjust the stated access policy.
console.log(`${event.user.user_id} was in authorized_groups`);
required_aal = app.AAL || default_aal;
authorized = true;
break;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Jira: Untracked
Jira: Untracked
bheesham
force-pushed
the
use-aal-from-matched-authz-rule
branch
from
eb378a9 to
7ce3c1d
Compare
Jira: Untracked
bheesham
force-pushed
the
use-aal-from-matched-authz-rule
branch
from
7ce3c1d to
8cb73d5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Going back to fix something Copilot complained about but I agreed with.
Instead of using the first AAL, or overwriting it at all, we use the one defined in the authz rule which grants access. We do not evaluate all rules, and stop simply at the first one that passes. If none pass, then access is not granted.
Jira: Untracked