Open rishabhpoddar opened 3 years ago
Basic setup for Frontend
Basic Setup for backend
Auth0's documentation is really good. whenever you start an app and choose your techstack, you get a curated quick setup guide taking you through the setup process. Each section in the dashboard gives information on how that section works One place that can be hard to navigate is the management API docs.
Auth0 allows you to easily add custom oauth service providers through their dashboard. The setup form asks you to enter the authorization URL, token URL, scope, client id, client secret and a fetch user profile script(queries the OAuth2 API with the accessToken).
Auth0
Allows you to use your own custom database with users on the enterprise plan
When using a custom database you have to configure action scripts that will define how the authentication works with your database.
The scripts can be written or you can use the templates provided by auth0 and modify them
By default the only required script to be written is the login script
The actions scripts are
Steps taken for custom database setup(MongoDB)
Auth0's dashboard allows you to customize certain aspects of the long screen:
The Auth0 actions can involve calling your API endpoint if you want to add user details to your db as well. However, during dev, if your endpoints are on localhost
that causes an issue since auth0 cannot call localhost. So you might have to do some tricky tunneling..
[ { "user_id": "auth0|507f1f77bcf86cd799439020", "email": "john.doe@gmail.com", "email_verified": false, "username": "johndoe", "phone_number": "+199999999999999", "phone_verified": false, "created_at": "", "updated_at": "", "identities": [ { "connection": "Initial-Connection", "user_id": "507f1f77bcf86cd799439020", "provider": "auth0", "isSocial": false } ], "app_metadata": {}, "user_metadata": {}, "picture": "", "name": "", "nickname": "", "multifactor": [ "" ], "last_ip": "", "last_login": "", "logins_count": 0, "blocked": false, "given_name": "", "family_name": "" } ]
Auth0 allows you to add custom sign up fields,
additionalSignUpFields
attribute is used to add additional fields.
type
paramtype
param is set to select, you can provide users with a number of options
ex. additionalSignUpFields: [{ type: "select", name: "location", placeholder: "choose your location", options: [ {value: "us", label: "United States"}, {value: "fr", label: "France"}, {value: "ar", label: "Argentina"} ], // The following properties are optional icon: "https://example.com/assests/location_icon.png", prefill: "us" }]
an icon and prefill param can also be setAuth0 allows for complete customization of all emails(Welcome, password reset, email verification, change password etc...) The sender's domain, Subject and message contents can be completely changed from the dashboard. The message HTML can be completely changed
In Auth0's dashboard you can choose to customize he HTML code of the login widget. This allows you to change the config of lock widget to add additional fields, change styling etc. Adding custom elements in their editor does not seem to be something they encourage though.
Auth0 has a password strength meter built into its lock UI. The password policy has a set of rules with a slider to customize how many rules to enforce This can be modified from the database password policy tab The rules are :
Roles in auth0 is just a method to group together permissions.
In Auth0 a permission, is the ability to perform an action on a resource. ex. read:data
can be defined as a permission.
After creating a permission, it can then be assigned to a role.
Roles can then be assigned to a user.
The role assigned to a user can be found in the accesstoken jwt after authentication under the permission attrubute
On the backend the 'express-jwt-authz' can be used to create a middleware to check if the user has the required permission
Roles can be created from the dashboard.
Roles have a name, description, permissions and users associated with them
Roles can be created using the Auth0 management API and can be assigned to a user.
Multiple roles can be assigned to a single user
Auth0 provides a HOC withAuthenticationRequired which can be used for protecting routes. ex. Create a component that uses withAuthenticationRequired `` const ProtectedRoute = ({ component, ...args }) => ( <Route component={withAuthenticationRequired(component)} {...args} /> );
``
in your router set the path and the component to be protected using the new component
``
``
Auth0 provides SDK's for both android and ios and have good quick start guides for setup
Auth0 provides some extensibility points for customizing the apis but they do not cover every scenario(they don't have pre and post customization for every API). The user can call the apis from the backend to allow for complete customization pre and post API calls but they would have to the frontend themselves as the lock widget does not allow you to change the endpoints for its actions.
Auth0 has 3 methods of customizing auth flows
Rules
Auth0 hooks
Auth0 actions
Rules
Rules are js functions that are executed during user authentication.
They run after the main authentication flow is completed, i.e. just before the response is submitted to the user.
The ID Token and/or Access Token passed to the Rules pipeline and then sent to the app.
Rules can be created from the dashboard, or they can be added through the management api.
Uses
Auth0 hooks
Actions
In case of password validation, auth0 has a special place in the dashboard for setting up password strength. This change is propagated through any flow that requires the user to enter the password
Auth0 allows you to embed login into your website. They allow to use their login widget sdk in your app or just use the auth0 sdk to query the auth endpoints.
Auth0 provides a nextjs sdk. Setup:
Auth0's inbuilt test smtp mail server cannot be used in production and requires the user to setup smtp.
Auth0 allows you to query its API's from the backend and also perform management tasks(user management and tenant configuration) through its management API.
In Auth0's dashboard under the database option, you can choose to disable signups.
Going through auth0's lock(their frontend widget) configuration there are no options to set endpoints for actions like signup/signin.
Auth0's Multi tenancy page in their docs mention a couple of ways to handle multi-tenant apps
This can be done as seen in this discussion by setting the max_age param and checking the auth_time
Auth0 has proper automatic account linking. There are a few UX / security issues (but they are nothing major):
UX issue 1: If the user does email password sign up first, and then does Gmail logn the second time, they are redirected back to the login UI with no message. This can be confusing. In the background though, auth0 sends an email verification email, and once the user sees that and clicks on it, then when they relogin with Gmail, they the accounts are linked.
UX issue 2: If the user signed up with gmail, and then next time signs up with email password (cause they think forgot that they have an account), then they are redirected to the gmail UI after email password account creation. After clicking on the right gmail user, their accounts are linked. This can be confusing for certain users.
UX issue 3: If the user signed up with gmail, and then nexttime tries to login with email password, they see a wrong credentials error (as expected). But then if they go through the password reset route (cause they thought they had previously signed up with email password), then there is no password reset email sent. They have to click on sign up with email password, or then login with gmail. There is no indication in the UI for this.
Security issue: If an attacker previously created an email password user with the victim’s email (and not verified it), then when the victim signs up with google, Auth0 sends an email verification email. The victim might think to click it (cause they just signed up), but this causes linking of the email password account as well - giving the attacker access to the account via email password login. That being said, during Gmail sign up, Auth0 does prompt the user they they are about to link accounts, but certain users might just click on continue without understanding what’s about to happen.
No account linking for passwordless or SAML login users.
Questions