auth0-nginx and Shibboleth

[sahuguet]

I am trying to set-up auth0-nginx for an "SAMLP Identity Provider connection" with auth0. I want to host a bunch of services behind nginx, where users are authenticated using the university Shibboleth system. I have configured auth0 to support the university Shibboleth system. I am having trouble making it work through auth0-nginx.

1. is it supported by auth0-nginx?
2. what end-point would this work with?

regards,

Arnaud

[maxamante]

Hello Arnaud,

1. auth0-nginx does not currently support SAML. auth0-nginx is not an official Auth0 plugin, so it doesn't support all the protocols Auth0 implements. If you push a PR, I'd be happy to review and merge!
2. No endpoint will work directly, but possibly with hacks; though hacks in security are best to avoid.

SAML was avoided because it can be complex to configure. That's why auth0-nginx focuses on OAuth flows. That being said I'd be happy to work with you and figure out if auth0-nginx can fit into what you're trying to achieve.

If you could post the Auth0 setup guides you followed and anything else to give me context, that'd be great!

Hear from you soon. Cheers!

[sahuguet]

My intuition is that we can use Auth0 to isolate us from the SAML non-sense.

User   -->   nginx   -->   Auth0   -->   Shibbeloth/SAML
          <----------------------------
          ----------------------------->
                 user authenticates
                                   <---
                 Auth0 does its magic
                    <---  
        <--  
                user now has a bearer token

I need to figure out which URL nginx should redirect to. I also need to make sure I understand the structure of the JWT token that Auth0 returns.

to be continued …

[sahuguet]

I found a library that should do be able to do the handshake with Auth0. See https://github.com/robbishop/resty-auth0 . I am having problem with module 'socket' not found:. But once this is solved, the idea is to package the data from Auth0 into a JWT token that can be used by the client for future interactions.

regards,

Arnaud

[maxamante]

Thats what i was hoping. Ill start looking into ways to implement this.

On Oct 31, 2017 6:14 PM, "Arnaud Sahuguet" notifications@github.com wrote:

I found a library that should do be able to do the handshake with Auth0. See https://github.com/robbishop/resty-auth0 . I am having problem with module 'socket' not found:. But once this is solved, the idea is to package the data from Auth0 into a JWT token that can be used by the client for future interactions.

regards,

Arnaud

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/maxamante/auth0-nginx/issues/13#issuecomment-340950899, or mute the thread https://github.com/notifications/unsubscribe-auth/ABfdSUaHWf6pPxn9JU9OuXX5ZyuBLdNJks5sx8YAgaJpZM4QLk7l .

[sahuguet]

Check the pull request on that repo. Someone made lots of good comments. And this someone seems very knowledgeable on resty issues.

On Oct 31, 2017 9:32 PM, "Maxwell Amante" notifications@github.com wrote:

Thats what i was hoping. Ill start looking into ways to implement this.

On Oct 31, 2017 6:14 PM, "Arnaud Sahuguet" notifications@github.com wrote:

I found a library that should do be able to do the handshake with Auth0. See https://github.com/robbishop/resty-auth0 . I am having problem with module 'socket' not found:. But once this is solved, the idea is to package the data from Auth0 into a JWT token that can be used by the client for future interactions.

regards,

Arnaud

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/maxamante/auth0-nginx/issues/13# issuecomment-340950899, or mute the thread https://github.com/notifications/unsubscribe-auth/ ABfdSUaHWf6pPxn9JU9OuXX5ZyuBLdNJks5sx8YAgaJpZM4QLk7l .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maxamante/auth0-nginx/issues/13#issuecomment-340953224, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVuQ-GBmb2C2n4PORqhQmtzuiF5dGXGks5sx8oqgaJpZM4QLk7l .

[maxamante]

OK. This isn't my main work, but I will take some time this week to see how to make this work for you.

When you say that you have a problem with module 'socket' not found, is that with my code?

[sahuguet]

No, it is with their code. I will try to use your way of doing http connection and rewrite their code accordingly.

regards,

Arnaud

On Wed, Nov 1, 2017 at 11:39 AM, Maxwell Amante notifications@github.com wrote:

OK. This isn't my main work, but I will take some time this week to see how to make this work for you.

When you say that you have a problem with module 'socket' not found, is that with my code?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maxamante/auth0-nginx/issues/13#issuecomment-341144083, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVuQw3NEWcJAuQ-tkkjXbv2TfMTTmc6ks5syJCfgaJpZM4QLk7l .

-- Arnaud Sahuguet Do a little. Change a lot. http://www.google.com/onetoday

[sahuguet]

The token I get from Auth0 is { "typ": "JWT", "alg": "RS256", "kid": "RDZDMjc4RkNEQUNCRDY2ODRDNEQzNzQxMkJENUYzMDIyQTdGNTU2OQ" }

Is there a method in resty.jwt that can validate against a public key instead of a shared secret?

I have tried to force Auth0 to HS256 but it keeps sending me some RS256 tokens.

On Wed, Nov 1, 2017 at 12:48 PM, Arnaud Sahuguet arnaud.sahuguet@gmail.com wrote:

No, it is with their code. I will try to use your way of doing http connection and rewrite their code accordingly.

regards,

Arnaud

On Wed, Nov 1, 2017 at 11:39 AM, Maxwell Amante notifications@github.com wrote:

OK. This isn't my main work, but I will take some time this week to see how to make this work for you.

When you say that you have a problem with module 'socket' not found, is that with my code?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maxamante/auth0-nginx/issues/13#issuecomment-341144083, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVuQw3NEWcJAuQ-tkkjXbv2TfMTTmc6ks5syJCfgaJpZM4QLk7l .

-- Arnaud Sahuguet Do a little. Change a lot. http://www.google.com/onetoday

-- Arnaud Sahuguet Do a little. Change a lot. http://www.google.com/onetoday

[maxamante]

resty.jwt: I think verify can be used to validate with a public key. There's a "JWT Auth With KID and Store Your Key in Redis" example on that same page that shows a possible flow for verifying using RS256.

hs256: I was able to create an HS256-based API by selecting HS256 as the Signing Algorithm while creating the API within Auth0.

Maybe you've found them already, but here's some guides I followed while I implemented auth0-nginx: https://auth0.com/docs/api-auth/tutorials/verify-access-token https://auth0.com/docs/apis#signing-algorithms

[sahuguet]

I managed to check the RS256 signature. Now trying to fetch saml user data. Also not totally sure if I should repackage the bearer token and put it on Authorization header or create my own to pass to downstream apps.

On Nov 3, 2017 2:18 AM, "Maxwell Amante" notifications@github.com wrote:

resty.jwt: I think verify https://github.com/SkyLothar/lua-resty-jwt#verify can be used to validate with a public key. There's a "JWT Auth With KID and Store Your Key in Redis" https://github.com/SkyLothar/lua-resty-jwt/blob/master/examples/README.md#jwt-auth-with-kid-and-store-keys-in-redis example https://github.com/SkyLothar/lua-resty-jwt#examples on that same page that shows a possible flow for verifying using RS256.

hs256: I was able to create an HS256-based API by selecting HS256 as the Signing Algorithm while creating the API within Auth0.

Maybe you've found them already, but here's some guides I following while I implemented auth0-nginx: https://auth0.com/docs/api-auth/tutorials/verify-access-token https://auth0.com/docs/apis#signing-algorithms

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/maxamante/auth0-nginx/issues/13#issuecomment-341629183, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVuQ-FqqQg3kOsCztjf9KoxSwLF1cc8ks5syrAogaJpZM4QLk7l .