Add possibility to use plain HTTP for development purposes

hartimcwildfly commented 1 year ago

Checklist

[X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

We are currently migrating to Auth0. For local development I set up a mock authorization-server. I cannot use a another Auth0 instance for local development because in the migration phase we use a custom database in Auth0. And when local developing Auth0 cannot access the database on the dev machine. So this is why we need a mock authorization-server.

The problem is the auth0 library cannot connect to the authorization server because the protocol is hardcoded to HTTPS and in local development we only use HTTP. The custom port after the domain works. So we can see that the auth0 client tries to connect to our mock authorization-server but fails because of protocol mismatch.

In the library for the resource server express-oauth2-jwt-bearer one can set the whole URL.

Describe the ideal solution

Introduce a new property 'protocol'

const { AuthenticationClient } = require('auth0');
const auth0Client = new AuthenticationClient(
  {
    protocol: 'http'
    domain: 'authorization-server:8080',
    clientId: 'my-client',
    clientSecret: 'my-super-strong-secret',
    audience: 'https://my-api.test.com',
  });

or rename the existing property 'domain' to 'issuerBaseURL' like in the library 'express-oauth2-jwt-bearer'

const { AuthenticationClient } = require('auth0');
const auth0Client = new AuthenticationClient(
  {
    issuerBaseURL: 'http://authorization-server:8080',
    clientId: 'my-client',
    clientSecret: 'my-super-strong-secret',
    audience: 'https://my-api.test.com',
  });

Alternatives and current workarounds

set up TLS/SSL in the development environment
use a HTTPS to HTTP proxy

but introducing TLS in development environments results in higher complexity when debugging.

Additional context

No response

hartimcwildfly commented 1 year ago

It's hardcoded here

adamjmcgrath commented 1 year ago

Hi @hartimcwildfly - thanks for raising this

This SDK is only designed to connect to auth0.com - the risk of allowing users to specify the protocol is that they may leave it on in production and start sending secrets over http to auth0.

Since your problem sounds like a temporary one during your migration phase, can you use a temporary solution like forking the repo or using https://github.com/ds300/patch-package?

hartimcwildfly commented 1 year ago

Thanks for the hint. As the patch only needs to apply for the dev machine and it is more or less a standard solution, I am fine with this. Thanks!

auth0 / node-auth0