auth0 / auth0-cli Goto Github PK
View Code? Open in Web Editor NEWBuild, manage and test your Auth0 integrations from the command line
Home Page: https://auth0.github.io/auth0-cli/
License: MIT License
Build, manage and test your Auth0 integrations from the command line
Home Page: https://auth0.github.io/auth0-cli/
License: MIT License
Currently lifetime_in_seconds is already int. There are older tenants though in string
.
We'll need to fix this on the SDK level.
Having to select the access token is cumbersome. It should be easier to copy a test token to the clipboard.
auth0 test token | pbcopy
The CLI detects when stdout is not a TTY. When this is the case, it writes the access token to stdout. Any other messages are written to stderr. On macOS this should then allow me to automatically copy the access token to my clipboard, after which I can use it to make authenticated requests.
Select the access token and copy it manually.
downloaded the latest windows release.
performed:
auth0 login (was successful)
auth0 test login (failed with error message in title).
failure manifests in browser window before login.
https://auth0.com/docs/api/management/v2#!/Resource_Servers/post_resource_servers states that scopes
is an optional field when creating APIs. The CLI, however, requires scopes
using the auth0 apis create
command. The command should not require scopes
as is documented by the HTTP API.
$ auth0 apis create \
--name ${NAME} \
--identifier ${ID} \
--token-lifetime 600 \
--no-input
=== {tenant}.us.auth0.com error
▸ required flag(s) "scopes" not set
Please provide the following:
$ auth0 --version
auth0 version 0.11.1 d5eaed2385480f3ce6acb21026c103c0b831f172
The current is localhost:3000/callback but for nextjs should be http://locahost:3000/api/auth/callback
After download qs let's hint with:
Quickstart sample sucessfully downloaded at ...
cd test-app/sample-01 and read README.md
Allow to create Auth0 tenants programmatically / via API & CLI.
Right now, it's only possible via Auth0 UI/Dashboard.
auth0 tenants create
Parameters:
tenant name
tenant region
Using RPA
https://github.com/mathiasconradt/auth0-tenant-creation-rpa
This is useful for B2B2X scenarios and has been requested a few times in the past.
When running a command I would like to know which tenant I am running this into.
For eg. I used login
to setup a tenant (I forgot I had one already configured). Then run apps list
and got "token expired".
Loading apps... failed
▸ 401 Unauthorized: Expired token received for JSON Web Token validation
Checked config.json and realized I had an old tenant configure whose token was expired already (btw we need to implement Refresh Token... will create another issue for that). In any case, if we include the tenant context in each run I would know which tenant I am running against.
should be
function (user, context, callback) {
// TODO: implement your rule
return callback(null, user, context);
}
The default experience on auth0 actions create
should be to create a "noop" action, write it to the file system and upload it.
Specifying an action file should be a special case (--file myaction.js
)
After creating and upload the action we should tell the user
Edit the action code by opening
action-name.js
and deploy it usingauth0 actions deploy {new-action-id}
Is there any other option to authorize the client? For example using config file or env variables? Just to use it inside some CI/CD workflow to modify a list of origins, logout-url etc. In that case Device Authorization Flow is not an option.
Add this hint when Editor opens:
Hint: once you close the editor, the rule will be saved. To cancel, CTRL+C.
Provide a clear and concise description of the issue, including what you expected to happen.
I cannot install the cli with brew
brew install auth0/auth0-cli/auth0
==> Tapping auth0/auth0-cli
Cloning into '/opt/homebrew/Library/Taps/auth0/homebrew-auth0-cli'...
remote: Enumerating objects: 66, done.
remote: Counting objects: 100% (66/66), done.
remote: Compressing objects: 100% (64/64), done.
remote: Total 66 (delta 33), reused 5 (delta 0), pack-reused 0
Unpacking objects: 100% (66/66), done.
Error: Invalid formula: /opt/homebrew/Library/Taps/auth0/homebrew-auth0-cli/auth0.rb
formulae require at least a URL
Error: Cannot tap auth0/auth0-cli: invalid syntax in tap!
OS bigSur 11.2.3
The default experience of test login should be to show the JSON output. This should include these properties: user_info, id_token_decoded, access_token_decoded, id_token, access_token
This is useful for troubleshooting which is the main goal of the CLI. As an example of this, I added an action that add an attribute to the id_token and when I did test login it didn't show up in the response
Right now if after downloading the nextjs or node qs (auth0 quickstart download) and try to run it, it will fail. The reason is that env.local does not exist. There is env.local.template. If we could rename that to env.local after unzipping, the experience would be flawless
The create API HTTP documentation describes field signing_alg
to allow configuring the signing algorithm of the access token for the API. This configuration does not appear to be available in the CLI.
Add a flag to allow specifying the signing-alg
value, restricted to the allowed values of RS256
and HS256
, for example create an API using the HS256
algorithm:
$ auth0 apis create --identifier ${ID} --signing-alg HS256
The response should include the secret on success:
=== {tenant}.us.auth0.com API created
ID {ID}
NAME {NAME}
IDENTIFIER {AUDIENCE}
TOKEN LIFETIME 3600
ALLOW OFFLINE ACCESS ✗
SIGNING SECRET {SECRET PLAINTEXT}
There is no alternative to this problem using the CLI. The signing algorithm cannot be changed once the API is created so the current behavior is all APIs created through the CLI will use RS256
algorithm.
When trying to add a user via the auth0-cli I get the following error after I enter the password field.
macUser@iMac projectName % auth0 users create
json: cannot unmarshal string into Go struct field ConnectionList.connections of type []interface {}
Connection: google-oauth2
Name: Name
Email: [email protected]
Password: *********
json: cannot unmarshal string into Go struct field ConnectionList.connections of type []interface {}
!! Uh oh. Something went wrong.
!! If this problem keeps happening feel free to report an issue at
!!
!! https://github.com/auth0/auth0-cli/issues/new/choose
This happens every time.
using Next version 11.0.1
auth0 version 0.9.1 f9ab1c2
macOS Big Sur Terminal
CLI allows to create an action and even specify a trigger, but it's not deployed (and there seems to be no command or flag to deploy via CLI at the moment). This means that customizing the actions still requires two manual actions on the Auth0 portal afterwards: deploying the action and then adding it to the flow.
In order to fully support CLI-based provisioning of the tenants, it would be great to support deploying the action from CLI and/or adding it to the flow (not sure if the latter is feasible, given that other actions might already be there and that the order probably matters).
My main use case is provisioning the unified set of roles and permissions on multiple tenants corresponding to the deployment stages (dev, test, demo, production etc.). Our ideal goal would be to configure a tenant in a fully automated way: define API, permissions, standard roles, custom login actions - in essence, make tenant configuration reproducible, minimize manual work, and reduce human errors.
Are there any plans to support that or good reasons not to?
From looking at the Management API, I can see that Deploy and action and Update trigger bindings methods would essentially allow to perform these steps, so it is at least theoretically possible.
--audience
is not used in the resulting token from auth0 test login
I'm trying to run a command to get a user berare token to test with automatically:
auth0 test login MY_CLIENT_ID --no-input --force --domain MY_DOMAIN --audience myaudience
With this flow, I'm taken to my staging login page, I auth with a staging user, then I get a token successfully on my clipboard. However, when I paste this token into https://jwt.io/ it has the wrong audience:
"aud": "MY_CLIENT_ID",
For some reason it used the client ID instead of the audience passed in to the CLI for the bearer token returned
Version of this library used:
auth0 --version
auth0 version 0.6.0 b69b35a
Version of the platform or framework used, if applicable:
Mac Big Sur, iTerm2
On a MacOS X environment, I installed the CLI with brew and, right after logging in, I got the following error:
▸ ✪ Welcome to the Auth0 CLI 🎊.
▸ To set it up, you will need to sign in to your Auth0 account and authorize the CLI to access the API.
▸ If you don't have an account, please go to https://auth0.com/signup, otherwise continue in the browser.
▸ Your pairing code is: MJKV-RJLB
▸ This pairing code verifies your authentication with Auth0.
▸ Press Enter to open the browser (^C to quit)
=== error
▸ login error: You are polling faster than the specified interval of 5 seconds.
Just to confirm that the login flow indeed has failed, I ran auth0 apps list
. As expected, I got:
=== error
▸ Not logged in. Try 'auth0 login'.
Running the flow again (auth0 login
) succeeded. So, feel free to close the issue if you can't reproduce, but I leave it here as a note in case you want to double check.
after running test login (for the first time) we can hint the dev at running quickstart download
Login flow is working! Next, try download and run a quickstart
auth0 quickstarts download {client_id}
Creating users via the command line is terrific. My standard flow is to create a user and add them to an app-specific role. While the CLI has options to create/delete roles, I cannot find any commands to manage user/role membership.
Expand the user create subcommand to allow one or more roles to be specified for the user. Optionally expand the role command to allow memberships to be managed at the role level.
Create users via the CLI and then assign users to roles via the management GUI. 😢
in the same way we allow specifying client and connection, we should allow specifying audience
Once quickstart is download before finishing ask Do you want to add this URL to the list of allowed callback URLs: http://localhost:3000?
My organization has many apps, more than fit on one page of the auth0 dashboard, and more than the 50 that are listed by auth0 apps list
. I often want to look up client id and secret by client name. I can think of two solutions that would work well for me:
auth0 apps list --maxitems 500
auth0 apps show -r <client_id>
auth0 apps show -r --name <client_name>
Right now, I have to get this information from the Auth0 Dashboard by clicking through pages and using my browser's Find function.
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
If I run auth0 apps list
in a tenant with more than 50 apps, I only get the first 50 (looks like in the order they were created) returned.
Run auth0 apps list
in a tenant with more than 50 apps.
Observe that only the first 50 apps are returned.
auth0 version 0.10.3 0f57d13
OSX zsh
Please add ability to search and delete users using the CLI.
While developing an application, it is very useful to quickly search and delete users. I'd like to request the following functionality:
Search users:
auth0 users search --email [email protected]
auth0 users search auth0|123456
auth0 users search --name "John Doe"
Delete users:
auth0 users delete auth0|123456
Use the Auth0 dashboard, which is much slower than using the CLI.
None.
When trying to add existing permissions to an existing role via CLI, I'm always getting back 404 Not Found: The resource server does not exist: ''
error. The documentation is a bit unclear regarding which ID of the API needs to be passed (the system-generated one or the user-friendly one), but the command fails in both cases anyway.
$ auth0 roles permissions add rol_someroleid -a numeric_api_identifier -p "permission1,permission2"
OR
$ auth0 roles permissions add rol_someroleid -a user_friendly_api_identifier -p "permission1,permission2"
404 Not Found: The resource server does not exist: ''
When running auth0 roles permissions add
in the interactive mode, selecting API, role and permission goes fine and the command successfully associates the specified permissions to role. My main question is, how to correctly specify the API identifier and what else could be causing the error? Tried this on different tenants - same result.
Thank you!
auth0 login
exits with "login error: User is not authorized".
During the login flow in the browser I get "Activation Denied - We are not able to activate your device.".
I am not sure if this is actually an issue in the CLI, but I have no clue where to look for further information on why it fails.
auth0 login
This leads to a screen with: Activation Denied - We are not able to activate your device.
And then the client of course says "User not authorized"
But it is unclear to me what to do, what I am missing, or what I have done wrong.
Detail the steps taken to reproduce this error, what was expected, and whether this issue can be reproduced consistently or if it is intermittent.
Where applicable, please include:
- Code sample to reproduce the issue
- Log files (redact/remove sensitive information)
- Application settings (redact/remove sensitive information)
- Screenshots
auth0 logs --clientId xyz
would filter logs for that particular app. This is useful for troubleshooting to avoid all the noise of other apps.
when doing app show
it should show stuff like allowed web origins
I see this now:
NAME test app
TYPE single page application
CLIENT ID ngKKhR5yy9fvIXnjRzEYdJZ7YGwjheQ8
CALLBACKS http://localhost:3000, https://jwt.io```
or is there a "verbose" option that shows everything?
If I do this, I expect to just add a callback URL to this app.
go run ./cmd/auth0 apps update ngKKhR5yy9fvIXnjRzEYdJZ7YGwjheQ8 -c http://localhost:3000
Instead it will prompt me also for name, description, etc.
Also, if I do go run ./cmd/auth0 apps update ngKKhR5yy9fvIXnjRzEYdJZ7YGwjheQ8
I would expect to get asked name, description, type AND callback URLs (right now it doesn't ask for that).
Hint: download the quickstart auht0 quickstarts download --clientId ....
The PHP quickstart sample code is not correctly configured
auth0 quickstarts download APPID
<Select: Stack: PHP>
=== xxxxxxxx.us.auth0.com error
▸ Unable to download quickstart sample: Expected status 200, got 500
auth0 version 0.11.0 343e7b3
--force and --no-input still prompt you to open a browser
I'm trying to run a command to get a token to test with automatically:
auth0 test login MY_CLIENT_ID --no-input --force --domain MY_DOMAIN
This outputs:
▸ A browser window will open to begin this client's login flow.
▸ Once login is complete, you can return to the CLI to view user profile information and tokens.▸ The client you are using does not currently allow callbacks to localhost.
▸ To complete the login flow the CLI needs to redirect logins to a local server and record the result.▸ The client will be modified to update the allowed callback URLs, we'll remove them when done.
▸ If you do not wish to modify the client, you can abort now.Do you wish to proceed? (y/N)
According to the documentation from auth0 help test login
:
--force Skip confirmation.
--no-input Disable interactivity.
This documentation isn't clear on what's supposed to happen, it is quite confusing. Either way, neither flag's supposed explanation is being followed, there is both a confirmation and it's interactive.
Please provide the following:
Version of this library used:
auth0 --version
auth0 version 0.6.0 b69b35a
Version of the platform or framework used, if applicable:
Mac Big Sur, iTerm2
We are not cleaning up properly the callback URL if there was an error (e.g.a rule returning an error).
Should return with the version of the CLI that is being used.
when running without parameters (auth0
) it should tell me if I am already logged in or not. If I'm not then we should suggest running auth0 login
.
can we use different colors for the type of app so it's easy to parse? only for the app type, not the full row. eg native can be cyan. etc
Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.
Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.
By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.
Provide a clear and concise description of the issue, including what you expected to happen.
On MacOS when attempting to login, auth0 cli opens the macos Finder app rather than opening a browser, so login is not possible.
Installed auth0 cli from auth0 login
on terminal command line using brew
instructions from README.md
On command line: auth0 login
and got the following output:
✪ Welcome to the Auth0 CLI 🎊
If you don't have an account, please go to https://auth0.com/signup
Your Device Confirmation code is:
▸ Press Enter to open the browser to log in or ^C to quit...
Waiting for login to complete in browser... ⣷ Waiting for login to complete in browser... failed
=== ffn-dev.us.auth0.com error
▸ login error: Unauthorized
I expected to have a browser window open in Chrome to login to auth0, but instead the Finder app opened to my current directory, so could not complete the login process.
auth0 version 0.10.3 0f57d1303347dd7bd7b8547ed81026b46b98089c
JHipster is adding Auth0 support in its next release. It'd be cool if the steps to configure a JHipster app on Auth0 was automated by the Auth0 CLI.
Okta's CLI has support for it using okta apps create jhipster
. You can see how it was added in okta/okta-cli#3. You can see how it works in https://youtu.be/ThytrcxL31s?t=90.
auth0 apps create jhipster
Currently, we (the JHipster team) has the following docs for configuring a JHipster app.
dev-xxx.us.auth0.com
Regular Web Applications
. Switch to the Settings
tab, and configure your application settings like:
http://localhost:8080/login/oauth2/code/oidc
http://localhost:8080/
ROLE_ADMIN
, and ROLE_USER
.Empty rule
template. Provide a meaningful name like JHipster claims
and replace Script
content with the following and Save.function (user, context, callback) {
user.preferred_username = user.email;
const roles = (context.authorization || {}).roles;
function prepareCustomClaimKey(claim) {
return `https://www.jhipster.tech/${claim}`;
}
const rolesClaim = prepareCustomClaimKey('roles');
if (context.idToken) {
context.idToken[rolesClaim] = roles;
}
if (context.accessToken) {
context.accessToken[rolesClaim] = roles;
}
callback(null, user, context);
}
In your JHipster
application, modify src/main/resources/config/application.yml
to use your Auth0 settings:
spring:
...
security:
oauth2:
client:
provider:
oidc:
# make sure to include the ending slash!
issuer-uri: https://{your-auth0-domain}/
registration:
oidc:
client-id: {clientId}
client-secret: {clientSecret}
scope: openid,profile,email
jhipster:
...
security:
oauth2:
audience:
- https://{your-auth0-domain}/api/v2/
If you have a doubt on the issuer-uri
value, then, you can get the value from Applications > {Your Application} > Settings > Advanced Settings > Endpoints > OpenID Configuration. Remove .well-known/openid-configuration
suffix since that will be added by the Spring Security.
You can use the default Auth0 Management API
audience value from the Applications > API > API Audience field. You can also define your own custom API and use the identifier as the API audience.
Before running Cypress
tests, specify Auth0
user details by overriding the CYPRESS_E2E_USERNAME
and CYPRESS_E2E_PASSWORD
environment variables. Refer to Cypress documentation for more details.
export CYPRESS_E2E_USERNAME=<your-username>
export CYPRESS_E2E_PASSWORD=<your-password>
Note: Auth0 requires a user to provide authorization consent on the first login. Consent flow is currently not handled in the Cypress test suite. To mitigate the issue, you can use a user account that has already granted consent to authorize application access via interactive login.
If you experience authentication issues with Cypress, see this guide for a workaround.
You can also use environment variables to override the defaults. For example:
export SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_OIDC_ISSUER_URI="https://{your-auth0-domain}/"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_ID="{client-id}"
export SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_OIDC_CLIENT_SECRET="{client-secret}"
export JHIPSTER_SECURITY_OAUTH2_AUDIENCE="https://{your-auth0-domain}/api/v2/"
You can put this in an ~/.auth0.env
file and run source ~/.auth0.env
to override the default Keycloak settings with Auth0 and start your app with Maven or Gradle. You should be able to sign in with the credentials you registered with.
Note: If you're on Windows
, you should install WSL so the source
command will work.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.