Auth0 Support¶
This guide will cover how to configure Auth0 for use with flask-ligand
. Given the configurability of
Auth0, this guide will only cover a narrow example that is for demonstration purposes only. The sections below will
guide you through the steps needed to fully configure Auth0 by linking to the pertinent
Auth0 documentation.
Important
It is highly encouraged that the Auth0 documentation be consulted in depth before using
flask-ligand
+ Auth0 in a production environment.
User(s) and Role(s)¶
The flask-ligand
’s RBAC support requires roles to be associated with clients (a.k.a
API).
Auth0 has a built-in RBAC system , but this guide will not be using
will only be using certain aspects of the system. Another limitation that needs to noted is that Auth0 only
supports associating roles with users which means that
machine-to-machine flows will have to use a
specific user to add roles to a particular API).
Create the roles ‘admin’ and ‘user’. (Defaults for
flask-ligand
, but you can define your own.)Create a user ‘test@test.com’ with a Username-Password-Authentication connection
Assign the ‘admin’ role to the ‘test’ user .
Application and APIs¶
Auth0 applications are the core of adding authentication to your web app,
mobile device or microservice. An API will allow a flask-ligand
microservice to authenticate with an Auth0
application. In Auth0 this is called the
“machine-to-machine flow”
Create the “flask-ligand” application.
Configure “flask-ligand” to be a Machine to Machine application type.
- Configure “flask-ligand” with only the following grant types:
client_credentials
password
(Required for RBAC support)
- Create the “flask-ligand-mtm” API.
a. Note: Enabling RBAC will have no affect!
Associate the “flask-ligand-mtm” API to the “flask-ligand” application.
Auth Pipeline Rule¶
Using Auth0 rules, the roles associated with a particular user can be added to the ID and access tokens. (It is not strictly necessary to add roles to the ID token, so you can choose to not add the roles if it doesn’t fit your needs)
Create a rule named “Add User Roles to ID and Access Tokens”.
Copy the following script into the rule:
function (user, context, callback) { const assignedRoles = (context.authorization || {}).roles; let idTokenClaims = context.idToken || {}; let accessTokenClaims = context.accessToken || {}; idTokenClaims.realm_access = {'roles': assignedRoles}; accessTokenClaims.realm_access = {'roles': assignedRoles}; context.idToken = idTokenClaims; context.accessToken = accessTokenClaims; callback(null, user, context); }
Save changes to the rule.
Get a Token¶
As mentioned before, Auth0 only supports associating roles with users which means that getting an access token with embedded roles will require the Resource Owner Password Flow.
Use the following curl
command to generate a token.
curl --request POST \
--url 'https://YOUR_DOMAIN/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=password \
--data client_id=YOUR_CLIENT_ID \
--data client_secret=YOUR_CLIENT_SECRET \
--data username=test@test.com \
--data password=PASSWORD \
--data audience=flask-ligand-mtm \
--data 'scope=email openid profile'
Verify that the access token contains the roles for the given user by navigating to https://jwt.io/ and pasting in the token.
Configure flask-ligand¶
The OIDC_DISCOVERY_URL
environment variable needs to be set to the
OpenID Configuration URL for the
“flask-ligand” Auth0 application.
If you would like to quickly test your Auth0 configuration with flask-ligand
then it is recommended to follow the
quickstart guide to setup the example project. The example project can be quickly configured to
use your Auth0 setup by altering the .env
file with the appropriate Auth0
settings.
Here is an Auth0 .env
file configuration that could work with the example project:
OIDC_DISCOVERY_URL=https://dev-wbgr6rna.us.auth0.com/.well-known/openid-configuration
SQLALCHEMY_DATABASE_URI=postgresql+pg8000://admin:password@localhost:5432/app
OPENAPI_GEN_SERVER_URL=http://localhost:8888