Feature: Integrate with Auth0

gentics / mesh

Gentics Mesh - The open source headless CMS for developers

https://getmesh.io

Apache License 2.0

572 stars 114 forks source link

Feature: Integrate with Auth0 #854

Open nico-schunke opened 5 years ago

nico-schunke commented 5 years ago

It would be great to get a kind of support for Auth0, as you already do with the Keycloak integration.

The way Auth0 is authoring access_tokens is a bit more generic than in Keycloak, but with some conventions, I think, it should be doable almost in the same way.

Thanks a lot guys in advance and thanks for your great work!

Jotschi commented 5 years ago

It seems this requires Gentics Mesh to remove the public key loading mechanism or to adapt it.

Adding some notes here so that changing the implementation will be easier.

Key handling

Auth0 used JWK to sign the JWT. The JWK could be loaded via https://tenant.auth0.com/.well-known/jwks.json.

Another option is to convert the PEM certificate to x509:

Download your Auth0 account's Certificate https://tenant.auth0.com/pem --download
Transform the Certificate into a public key. $ openssl x509 -pubkey -noout -in tenant.pem > pubkey.pem

Mapping / Rules

The prefered_username field must be set via a custom rule. Example:

function (user, context, callback) {
  context.idToken.prefered_username = user.nickname;
  callback(null, user, context);
}

It may be required to uncheck OIDC Conformant - We need to check this.

Jotschi commented 5 years ago

@nico-schunke The current plan is to refactor the auth handling slightly and to provide ways to configure multiple JWK / public keys. This way Auth0 would also be supported.

nico-schunke commented 5 years ago

@Jotschi This sounds great and is probably a good idea to be more solid against further feature requests like this.

nico-schunke commented 5 years ago

@Jotschi any ideas when this becomes priority?

Jotschi commented 5 years ago

@nico-schunke The needed changes have already been made to mesh (with release 0.41.0). For auth0 you need to download and add the JWK: https://getmesh.io/docs/authentication/#_auth0

In addition to that it is required to use a mapping plugin which understands how Auth0 encodes the tokens. I have already added a test which covers this functionality. It might however be a good idea to write a plugin which contains this code. It would be very similar to the keycloak plugin which is part of our examples. I think we'll write dedicated ready to use auth0 and keycloak plugin at some point.

Jotschi commented 5 years ago

The plugin would be very similar to this example:

https://github.com/gentics/mesh-plugin-examples/tree/master/authentication-plugin

We however plan to make the mapping code a bit smarter and customizable. It is however not yet decided whether that plugin would be free/OSS.

nico-schunke commented 5 years ago

@Jotschi That's are great news! I missed those release notes... We are going to test this within the next couple of days. Thank you very much for your support! 👍