moai-adk 0.35.1__py3-none-any.whl

moai_adk/templates/.claude/skills/moai-security-auth0/modules/continuous-session-protection.md

@@ -0,0 +1,307 @@
+# Continuous Session Protection
+
+Auth0 Continuous Session Protection enables dynamic session and token management using detailed session information for proactive risk detection and response.
+
+## Overview
+
+Continuous Session Protection provides:
+- Real-time session monitoring
+- Dynamic token management
+- Risk-based session control
+- Anomaly detection and response
+
+## Key Capabilities
+
+### Session Information Access
+
+Available Data:
+- IP addresses
+- ASN (Autonomous System Number)
+- Device details
+- User agent information
+- Geographic location
+- Session timestamps
+- Expiration dates
+
+Use Cases:
+- Risk assessment
+- Anomaly detection
+- Session fingerprinting
+- Access pattern analysis
+
+### Proactive Risk Detection
+
+Detectable Anomalies:
+- IP address changes
+- Geographic impossibilities
+- Device changes
+- Unusual access patterns
+- Time-based anomalies
+
+Response Actions:
+- Revoke sessions
+- Revoke refresh tokens
+- Force re-authentication
+- Trigger step-up MFA
+
+### Dynamic Token Management
+
+Flexible Configuration:
+- Customize token lifetimes
+- Adjust based on user attributes
+- Organization-specific policies
+- Role-based expiration
+
+Examples:
+- Shorter lifetime for admin users
+- Longer lifetime for trusted devices
+- Organization-specific policies
+- Connection-based adjustment
+
+### Data Enrichment
+
+External Integration:
+- Feed session data to external systems
+- Risk evaluation services
+- Customer databases
+- Analytics platforms
+
+## Implementation
+
+### Auth0 Actions
+
+Continuous Session Protection uses Auth0 Actions:
+- Post-login triggers
+- Token refresh triggers
+- Custom logic execution
+- Session context access
+
+### Session Context
+
+Available in Actions:
+
+Event Object:
+- event.session - Session details
+- event.request - Request information
+- event.user - User information
+- event.transaction - Transaction context
+
+Session Details:
+- Session ID
+- Creation time
+- Last activity
+- Device information
+- IP history
+
+### Token Refresh Handling
+
+During Token Refresh:
+- Access full session context
+- Evaluate current risk
+- Make continuation decision
+- Modify token properties
+
+Possible Actions:
+- Allow refresh normally
+- Deny refresh (force re-auth)
+- Modify new token claims
+- Trigger additional verification
+
+## Risk Detection Patterns
+
+### IP Address Monitoring
+
+Detection:
+- Track IP changes within session
+- Flag unexpected changes
+- Consider VPN/proxy patterns
+
+Response:
+- Log for analysis
+- Trigger verification
+- Revoke if high risk
+
+### Geographic Analysis
+
+Detection:
+- Calculate distance between logins
+- Detect impossible travel
+- Monitor location patterns
+
+Response:
+- Step-up authentication
+- Session termination
+- User notification
+
+### Device Fingerprinting
+
+Detection:
+- Track device characteristics
+- Identify device changes
+- Compare with known devices
+
+Response:
+- Verify new devices
+- Challenge unknown devices
+- Update device registry
+
+### Behavioral Analysis
+
+Detection:
+- Access pattern changes
+- Time-based anomalies
+- Resource access patterns
+
+Response:
+- Increase monitoring
+- Require verification
+- Adjust permissions
+
+## Dynamic Lifetime Management
+
+### User-Based Adjustment
+
+Examples:
+- Admin users: Shorter lifetimes
+- Regular users: Standard lifetimes
+- Verified users: Extended lifetimes
+
+Implementation:
+- Check user roles/attributes
+- Set appropriate expiration
+- Apply consistently
+
+### Organization-Based
+
+Examples:
+- High-security org: Short lifetimes
+- Standard org: Normal lifetimes
+- Specific requirements: Custom settings
+
+Implementation:
+- Check organization membership
+- Apply organization policies
+- Override as needed
+
+### Risk-Based
+
+Examples:
+- High risk: Very short lifetime
+- Medium risk: Reduced lifetime
+- Low risk: Standard lifetime
+
+Implementation:
+- Evaluate risk signals
+- Calculate risk score
+- Adjust lifetime accordingly
+
+## Session Management
+
+### Active Session Tracking
+
+Monitor:
+- Active sessions per user
+- Session locations
+- Session devices
+- Session age
+
+Actions:
+- List sessions
+- Terminate specific sessions
+- Terminate all sessions
+- Limit concurrent sessions
+
+### Session Termination
+
+Triggers:
+- Risk threshold exceeded
+- Anomaly detected
+- User request
+- Administrative action
+
+Methods:
+- Revoke refresh tokens
+- Clear session
+- Force logout
+
+### Concurrent Session Control
+
+Options:
+- Limit active sessions
+- Replace oldest session
+- Deny new session
+- User choice
+
+## Best Practices
+
+### Risk Configuration
+
+Balance Security and UX:
+- Start with monitoring
+- Analyze patterns
+- Implement gradually
+- Avoid false positives
+
+Threshold Setting:
+- Appropriate for user base
+- Consider legitimate scenarios
+- Regular review
+- Adjust based on data
+
+### Response Actions
+
+Graduated Response:
+1. Log and monitor
+2. Increase verification
+3. Shorten tokens
+4. Terminate session
+
+User Communication:
+- Clear security messages
+- Easy re-authentication
+- Support contact
+
+### Monitoring
+
+Track Metrics:
+- Session anomalies
+- Action frequency
+- User impact
+- False positive rate
+
+Review Regularly:
+- Analyze patterns
+- Adjust thresholds
+- Refine detection
+- Update policies
+
+## Integration
+
+### External Risk Services
+
+Send session data to:
+- Risk assessment APIs
+- Fraud detection services
+- User behavior analytics
+- Security information platforms
+
+Receive:
+- Risk scores
+- Recommendations
+- Additional context
+
+### SIEM Integration
+
+Export events for:
+- Centralized monitoring
+- Correlation analysis
+- Compliance reporting
+- Incident response
+
+### User Notification
+
+Alert users about:
+- Session changes
+- Security events
+- Required actions
+- Account status

moai_adk/templates/.claude/skills/moai-security-auth0/modules/customize-mfa.md

@@ -0,0 +1,178 @@
+# Customize MFA
+
+Module: moai-security-auth0/modules/customize-mfa.md
+Version: 1.0.0
+Last Updated: 2025-12-24
+
+---
+
+## Overview
+
+Auth0 provides several methods to customize Multi-Factor Authentication experiences for users through Universal Login branding options, programmatic controls, and the Actions framework.
+
+---
+
+## Universal Login Branding
+
+### Dashboard Configuration
+
+Navigate to Dashboard then Branding then Universal Login to access MFA page customization options.
+
+Customizable Elements:
+
+- Logo and company branding
+- Color schemes and themes
+- Font selections
+- Button styles
+- Page layouts
+
+### HTML Customization
+
+For complete control, customize the full HTML content of MFA pages.
+
+MFA Widget Theme Options: Auth0 provides theming capabilities including language dictionaries and visual customization options.
+
+When to Use: Organizations requiring branded MFA experiences that match their application design.
+
+---
+
+## API-Based Configuration
+
+### Enable MFA Grant Type
+
+To use the MFA API, enable the MFA grant type:
+
+Step 1: Navigate to Dashboard then Applications.
+
+Step 2: Select your application.
+
+Step 3: Open Advanced Settings.
+
+Step 4: Enable MFA under Grant Types.
+
+Step 5: Save changes.
+
+### Supported Scenarios
+
+Authenticating Users: Use Resource Owner Password Grant flow with MFA challenges.
+
+Factor Management: Allow users to manage their own authentication factors.
+
+Custom Enrollment: Create enrollment tickets to invite users to set up MFA.
+
+---
+
+## Programmatic MFA Control with Actions
+
+### Actions Framework
+
+Use Auth0 Actions to customize MFA policy based on various conditions.
+
+### Conditional MFA Triggers
+
+Application-Specific MFA: Require MFA for specific applications only.
+
+User Group Targeting: Apply MFA based on user metadata or group membership.
+
+IP-Based Requirements: Enforce MFA for authentication attempts from specific IP ranges or unknown locations.
+
+Risk-Based MFA: Trigger MFA based on risk signals and context.
+
+### Remember Browser Configuration
+
+The allowRememberBrowser property controls MFA prompt frequency:
+
+Enabled: Users can choose to trust their browser and skip MFA for subsequent logins.
+
+Disabled: Users must complete MFA on every authentication.
+
+Configuration: Set through Actions or tenant settings.
+
+---
+
+## Provider Configuration
+
+### Supported Factors
+
+The system supports multiple factors through the "any" provider setting:
+
+- Push notifications (Guardian app)
+- SMS verification
+- Voice call verification
+- One-time passwords (TOTP)
+- Email verification
+- WebAuthn security keys
+
+### Factor Selection
+
+New Universal Login: Full support for all factor types.
+
+Classic Login: Some limitations on factor combinations.
+
+---
+
+## MFA API Limitations
+
+Supported Factors: The MFA API works with SMS, push notifications (Guardian), email, and OTP factors.
+
+Not Supported: The MFA API does not support enrolling with Duo Security. Duo enrollment must be done through the Universal Login flow.
+
+---
+
+## Customization Best Practices
+
+### Branding Consistency
+
+Ensure MFA pages match your application's overall design.
+
+Use consistent logos, colors, and fonts across all authentication screens.
+
+Provide clear instructions in the user's language.
+
+### User Experience
+
+Minimize friction while maintaining security.
+
+Provide clear error messages and recovery options.
+
+Offer multiple factor options when possible.
+
+Consider accessibility requirements.
+
+### Security Considerations
+
+Balance convenience features (like remember browser) with security requirements.
+
+Implement appropriate session timeouts.
+
+Log MFA events for security monitoring.
+
+---
+
+## Language Customization
+
+### Language Dictionaries
+
+Auth0 supports multiple languages for MFA prompts and messages.
+
+Configuration: Set language preferences in Universal Login settings or dynamically based on user preferences.
+
+Custom Text: Override default text with organization-specific wording.
+
+---
+
+## Related Modules
+
+- mfa-overview.md: MFA configuration basics
+- mfa-factors.md: Factor types and setup
+- guardian-configuration.md: Guardian app customization
+- adaptive-mfa.md: Risk-based MFA policies
+
+---
+
+## Resources
+
+Auth0 Documentation: Customize MFA
+Auth0 Documentation: Universal Login Branding
+Auth0 Documentation: Actions
+Context7 Library: /auth0/auth0-docs (topic: customize-mfa)