auth0 / omniauth-auth0 Goto Github PK
View Code? Open in Web Editor NEWOmniAuth strategy to login with Auth0
License: MIT License
OmniAuth strategy to login with Auth0
License: MIT License
Looking to implement a sign out here. Deleting session info doesn't seem to work, any help?
allow to log response easily
eg. if AUTH_DEBUG
env variable is set
log the response
Using omniauth-auth0
v2.0.0 but otherwise following the Rails 5 guides in the docs leads to a csrf_detected
error coming out of omniauth.
provider_ignores_state = true
used to be set in the provider by default. This was removed in v2.0.0. Setting this explicitly avoids the CSRF detected error but it doesn't seem like a good idea.
Is there another suggested implementation to avoid setting provider_ignores_state = true
?
Most of our users are reporting no issues, but occasionally we are seeing users hit CSRF detected errors. We even had a developer hit one locally.
One nuance of our setup is that the entire app is behind a login wall, so we have a concern that automatically redirects to auth0 login if the user is not already logged in.
That code looks like this:
module Authentication
extend ActiveSupport::Concern
included do
before_action :authenticate!
end
def authenticate!
authenticated_user = User.includes(:roles).find_by(id: session[:user_id])
if authenticated_user.nil?
redirect_to "/auth/auth0"
else
Current.user = authenticated_user
end
end
The error looks like this in development:
Unfortunately, we're having a lot of trouble reproducing it. My colleagues have shown it to me when it's happened and I see it coming into Sentry (our error reporter), but they didn't seem to do anything differently.
The strange thing is that usually they insist they were already signed in on a previous session and logically shouldn't have even been needing to go through the auth0 flow.
[email protected]
. We do not have the omniauth-rails_csrf_protection
because of our redirect strategy (redirects don't allow POST
) but maybe this is the issue?When a session is initiated from an IdP, for e.g. configured like an Okta app, the callback phase with code
type seem to be failing in verify_nonce
.
code
verify_nonce
in callbackmaster
branchI have an app where I'm moving from lock based authentication to the Auth0 Universal Login approach. On this process I updated omniauth-auth0 from version 1.0 to 2.2 and started to have this problem when trying to logging in:
Environment:
rails 5.1.1
ruby 2.4.1
Any thoughts of how can I handle this?
I'm hitting an issue where omniauth works in dev mode but not in production using passenger. Under passenger, I am redirected correctly by my app to /auth/auth0
(as I use the auth0 provider) but then get an error from nginx that that url doesn't exist. This is my omniauth config:
configure do
set :sessions, true
set :session_secret, (ENV['SESSION_SECRET'].to_s == '' ? SecureRandom.base64 : ENV['SESSION_SECRET'])
OmniAuth.configure do |config|
# Always use /auth/failure in any environment
config.failure_raise_out_environments = []
end
use OmniAuth::Builder do
provider :auth0, ENV['AUTH0_CLIENT_ID'], ENV['AUTH0_CLIENT_SECRET'], ENV['AUTH0_DOMAIN']
end
end
I've ran this to show my routes:
require_relative 'main' # my sinatra app
Sinatra::Application.routes["GET"].each do |route|
puts route[0]
end
but that shows only these auth-related routes, even in my development environment:
(?-mix:\A\/auth\/([^\/?#]+)\/callback\z)
(?-mix:\A\/auth\/failure\z)
(?-mix:\A\/auth\/logout\z)
but these are all mine, I was expecting /auth/auth0
(or a regex matching it) to be listed too.
Using custom domain with this gem
I'm tring to implement custom domain, but I receive only "You should not be hitting this endpoint. Make sure to use the code snippets shown in the tutorial or contact [email protected] for help" error alert.
Thank you
Please provide the following:
My initializers/auth0.rb:
Rails.application.config.middleware.use OmniAuth::Builder do
provider(
:auth0,
ENV['AUTH0_CLIENT_ID'],
ENV['AUTH0_CLIENT_SECRET'],
ENV['AUTH0_DOMAIN'],
authorize_params: {
scope: 'openid profile offline_access enroll read:authenticators remove:authenticators',
audience: "https://<tenant>.auth0.com/mfa/",
},
provider_ignores_state: true,
)
end
I changed AUTH0_DOMAIN with custom domain.
I tried setting configuration_base_url too, but not solves.
License should have the current approved contents.
Missing Login Info
I'm currently integrating omniauth SSO to an existing Devise based application. (Devise + omniauth + omniauth-auth0). After a little experimentation I was able to get auth working, but don't receive any of the metadata I would expect... instead I get:
#<OmniAuth::AuthHash::InfoHash email=nil image=nil name="github|<USER_ID>" nickname=nil>
in the info
hash. Is there a quick fix/known behavior for this issue?
I checked around and saw no issues/fixes/PRs to match
Please provide the following:
I never get details on login, only the uid of the user. Every attempted login on any provider is a reproduction of this issue. I do not have an isolated test case.
It seems to do the same thing for any provider. ( EX: google-oauth2|USER_ID
is all that comes in for the google
provider )
Logs indicate a successful auth, but themselves have some empty fields.
{
"date": "2018-12-18T18:46:29.380Z",
"type": "seacft",
"description": "",
"connection_id": "",
"client_id": "4Ac7g6azJYRJd7FyEjLWk0cnNVaFGNFX",
"client_name": "client-portal",
"ip": "REDACTED",
"user_agent": "Other 0.0.0 / Other 0.0.0",
"hostname": "REDACTED",
"user_id": "",
"user_name": "",
"log_id": "90020181218184629380777407631495898728224680782653942003",
"isMobile": false
}
In my devise
config:
config.omniauth :auth0, ENV['AUTH0_CLIENT_ID'],
ENV['AUTH0_CLIENT_SECRET'],
ENV['AUTH0_HOST'],
{
authorize_params: {
scope: 'openid read:users',
audience: '<audience URL>'
},
provider_ignores_state: true,
callback_path: '/authenticate'
}
I'm examining the incoming auth
inside my self.from_omniauth(auth)
implementation.
Thanks for looking,
-abbey
I found a thread in forum about the same issue with no resolution: https://community.auth0.com/t/twitter-nickname-is-not-the-same-as-screen-name/17297
Unlike every other social login provider, Twitter strategy returns request.env['omniauth.auth']['info']['nickname']
value which is NOT the user's Twitter handle.
The workaround of adding this rule in Auth0 dashboard does work:
function (user, context, callback) {
// Put the user's screen_name as the nickname
// for Twitter connections
if (context.connection === 'twitter' && user.screen_name) {
user.nickname = user.screen_name;
}
callback(null, user, context);
}
Instead of calling /userinfo, decode the id_token (if openid
was included as the scope)
In the Rails login tutorial here, a SessionHelper
module is defined with a get_state
method. This module looks like:
# app/helpers/session_helper.rb
module SessionHelper
def get_state
state = SecureRandom.hex(24)
session['omniauth.state'] = state
state
end
end
I'm just curious what is responsible for calling this method? Does gem use this method or does another omniauth gem use this method? Just want to follow understand how this code is being used. Thanks!
Hi!
I'm on a situation where I have both a login and signup in my home page. I cannot find a way to redirect to auth0 with signup page as the initial screen, it will always show login instead.
I see javascript have some options in which you can set the initial screen, but I cannot find the equivalent to this using this gem.
Is there any way I can redirect my users to the signup screen when they click signup?
Thanks a lot!
In order to handle SSO authentication, we must perform silent authentication. To do that, the docs point to add a prompt=none to the authorization path.
There is no way to do that dinamically. I can perform silent authentication If I add this to initializers/auth0.rb
:
authorize_params: {
scope: 'openid',
prompt: 'none'
}
But this will try to perform silent authentication always, and if the user is not logged in then a redirection to the failure callback will be fire.
I need a way to add the prompt param dinamically, so if a user is not logged in I can redirect him to the Auth0 login page. Is that possible?
I've started using Auth0 for SSO with a Rails client app and I'm having issues with the fact that once any of my users' Auth0 sessions have expired there's no way for me to know that so I can also destroy their session in the client app.
Once the user's Auth0 session expires, a POST request is sent from Auth0 to the client Rails app, securely, that a specific user's session has expired.
E.g. suppose that we could generate a secret API key on a client application, similar to the way keys are generated by Auth0 so that client application could be authorize, but it's the other way around- Auth0 would have to authenticate itself to the client application when sending a request and the client application has to verify that request in order for it to be handled.
N/A
N/A
Unable to pass prompt
values to configure New Universal Login when using omniauth-rails_csrf_protection
. The readme suggests passing these as query params when redirecting the user to Auth0, but when using the csrf protection gem, I'm using a POST request rather than a redirect.
I expect that I can pass prompt: { login: { description: 'Login to <OUR APPLICATION>' } }
and see the New Universal Login reflect that copy change.
I've set the prompt
key in the OmniAuth configuration as well as the query params for the POST
request.
OmniAuth config
prompt
argument when configuring OmniAuth.Query String
params
for the link generated for login within railse. i.e. <%= link_to 'Login', '/auth/auth0', params: { <PROMPT CONFIG> }, method: :post %>
Apparently it's being ignored: https://github.com/auth0/omniauth-auth0/blob/master/lib/omniauth/strategies/auth0.rb#L42-L48
For comparison, this is how it's handled in omniauth-oauth2
: https://github.com/intridea/omniauth-oauth2/blob/9a2617f65ddf85a31f2aa9325089df2ddbf9d613/lib/omniauth/strategies/oauth2.rb#L41-L46
Update it to Rails 4.2.5.1 to use the patch version that fixes the security vulnerabilities previously reviewed
I'm using Auth0's dev keys in development mode while running the app locally. I have configured both of the following URLs as callback URLs in the application settings:
http://localhost:3000/auth/oauth2/callback, http://localhost:3000/auth/auth0/callback
This seems to be exactly the same issue as what was reported here: https://community.auth0.com/t/redirecturl-mismatch-using-webauth/21332
An example error tracking id: ec12ffe36ad815bec615
@hzalaz ~18mo since last commit. Is auth0 dropping support?
oauth2 - has new maintainers and v2.0 is on the way soon https://github.com/oauth-xx/oauth2/issues/307#issuecomment-370920888
Hi there,
I'm trying to implement omniauth-auth0 as a provider in our rails 4 app. I'm using the Auth0 lock widget in a modal to initiate the login process.
We use devise and omniauth and already successfully implement various providers like google, facebook and linkedin. I used a similar implementation to the one described here: #6
For some reason, the omniauth-auth0 gem is generating a badly formed request to extract the access token from the authorization code and exchange it for the id token as described here: https://auth0.com/docs/client-auth/server-side-web#exhange-the-access_code-for-an-id_token
Here is an example trace of the request and response:
[www] [7ae2968b-XXXXX] [127.0.0.1] [USER: Unknown] [SESS: ecb26e0256aXXXXXX] Started GET "/accounts/auth/auth0/callback?code=XLbDDKKXXXXXX" for 127.0.0.1 at 2017-02-15 19:04:24 -0700
I, [2017-02-15T19:04:24.070708 #70029] INFO -- omniauth: (auth0) Callback phase initiated.
E, [2017-02-15T19:04:24.845973 #70029] ERROR -- omniauth: (auth0) Authentication failure! invalid_credentials: OAuth2::Error, access_denied: Unauthorized
{"error":"access_denied","error_description":"Unauthorized"}
I can do this exchange myself in the terminal via a curl and it works fine. See below.
$ curl --request POST \
> --url 'https://warmlyyours.auth0.com/oauth/token' \
> --header 'content-type: application/json' \
> --data '{"grant_type":"authorization_code","client_id": "zNZjT4aNDl24XXXXXXXX","client_secret": "AjGbpSc3XXXXXXXXXXX","code": "RTE6dqvXXXXXXX","redirect_uri": "https://www.x.me:3000/accounts/auth/auth0/callback"}'
{"access_token":"Wc7K8mXXXXXX","expires_in":86400,"id_token":"eyJ0eXAiOXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX","token_type":"Bearer"}
Below are example log traces left in the Auth0 dashboard, the pattern is a failed exchange immediately following a successful login.
Summary
Occurred 15 hours ago at 2017-02-16 02:04:24.853 UTC
Type **Failed Exchange**
Description Unauthorized
Connection
Application zNZjT4aNDl24XXXXXXXX
User
Raw
{
"date": "2017-02-16T02:04:24.853Z",
"type": "feacft",
"description": "Unauthorized",
"connection_id": "",
"client_id": "zNZjT4aNDl24XXXXXXXX",
"client_name": null,
"ip": "73.14.174.238",
"user_agent": "Faraday v0.9.2",
"user_id": "",
"user_name": ""
}
Summary
Occurred 15 hours ago at 2017-02-16 02:04:23.974 UTC
Type **Success Login**
Description
Connection Username-Password-Authentication
Application XYZzNZjT4aNDl24XXXXXXXX
User [email protected]
Raw
{
"date": "2017-02-16T02:04:23.974Z",
"type": "s",
"connection": "XYZ",
"connection_id": "con_XYZ",
"client_id": "zNZjT4aNDl24XXXXXXXX",
"client_name": "XYZ",
"ip": "73.14.X.Y",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
"details": {
"stats": {
"loginsCount": 24
}
},
"user_id": "auth0|XYZ",
"user_name": "[email protected]",
"strategy": "auth0",
"strategy_type": "database"
}
Any help would be appreciated!
Regards,
Ramie
We are aware of a vulnerability in the parent OmniAuth library that this strategy relies on. This was reported over 4 years ago in this PR but no fix has been released yet. It just recently came to our attention (and others) when our dependency scanner started pinging us about CVE-2015-9284.
In summary, the vulnerability allows an attacker to link an external identity provider to a user signed into the application using OmniAuth if certain conditions apply. This request forgery requires having 2 or more allowed identity sources for the application and can affect both Ruby-only and Rails-enabled applications. Even if you are only using the Auth0 strategy, specific providers can be indicated in a connection
parameter on the auth URL like so:
https://yourapp.com/auth/auth0?connection=google-oauth2
This will limit the authentication request to a single connection, in this example case the Google social connection, and return to the application with a valid ID token. Default behavior for an application using our quickstart is to log the user in with this new ID token. If your application does any kind of account linking then this could create a situation where an attacker's Google account could be associated with the user account for the application by just visiting a URL. Again, this would require no-action account linking to be implemented in your application and the user to be logged into an attacker's account on an external identity provider used by the application.
The OmniAuth community has since published a mitigation draft document that walks through how to secure an app with this vulnerability in place, both for Ruby and Rails-enabled applications. The main mitigation presented there is to POST
to the auth URL so a CSRF token can be used and direct links could not start the auth process. Other considerations:
[email protected]
with [email protected]
?"In the meantime, we have one of two options for this library:
omniauth-rails
once this PR is merged.Taking route 1 would mean that we're waiting for an indeterminate time before this is fixed (which is fine if mitigations can be put in place but there's no way to contact everyone using this library). Taking route 2 means that Ruby-only applications do not have a good authentication solution (the Ruby SDK has the endpoints needed but does not handle callbacks, session, state, etc).
We appreciate any feedback that you have. In the meantime, we'll be weighing the two options above, looking for additional ways to address this, and answering any questions you might have. We'll leave this open until a fix is in place, one way or another.
In an application using Turbo (and I assume its predecessor Turbolinks), form submissions will be transformed into XHR / fetch requests that trigger a CORS request. This is not valid for the login action.
Other users have experienced the same problem.
Update the docs (and quick start guide?) to mention this. Specifically for Turbo, you can disable the behavior via:
button_to 'Login', 'auth/auth0', method: :post, data: { turbo: 'false' }
# ^^^^^^^^^^^^^^^^^^^^^^^^^^
It's missing the instruction bundle install
Hi there,
your example app, in addition to the example app offered for download have the following line:
If you want to build a Ruby On Rails API that will be used with a SPA or a Mobile device, please check this other seed project
However, the link provided does not exist. Is there an api app example?
Otherwise I suggest modifying this line, at least remove the link to avoid confusion.
Splitting this off from #48 by @coros-sanborn.
We used to get the app_metadata back which included the roles:
data[:extra][:raw_info][:app_metadata][:myAppName][:roles]
Since you want to use Lock and you need to use v11 going forward, I think your best bet in this case is a custom claim for the ID token. Here is the Rules code you're looking for, modified from here:
function (user, context, callback) {
const namespace = 'https://myapp.example.com/';
context.idToken[namespace + 'app_metadata'] = user.app_metadata;
callback(null, user, context);
}
One thing to note ... some browsers have a problem with the cross-browser authentication that Lock 11 does. To fix this, you'll need a custom domain setup for your tenant.
The universal login (which is v9) should at least work and return the same information as embedded lock v9 - which it does not (since I no longer get the app_metadata).
The actual version of Lock is less relevant than the API endpoints it uses. I wouldn't really even consider how the Lock widget on the universal page works since it behaves differently when it's located there. As you've said, that doesn't return the app_metadata
either.
To be clear, I'm only looking at the universal login as a last resort.
Understood. That said, our recommendation stands to use a redirect to the universal login page with a web app like one built on Rails.
I have a rails 4 app that had the embedded login page with lock 9. It worked fine for years. It stopped working in the last couple weeks because lock 9 was deprecated. As soon as I upgraded to lock 11 the page will no longer redirect, even if the user is authenticated.
I'm clear on the missing app_metadata
but can you clarify what you mean by "As soon as I upgraded to lock 11 the page will no longer redirect"?
This is the problem that I and many others are having and we really need a resolution.
That's what I'm here for :)
If lock 9 worked then upgrading to lock 11 should work, maybe with a few tweaks, but the entire app should not fail.
I agree. I think that's a shortcoming in our migration guide, to be honest. The new authentication endpoints only provide OIDC conformant fields and app_metadata
is not one of them.
And to add to the challenge there is not any documentation on how to configure the embedded login with Rails. The quickstart example is only for using the universal login page.
That was intentional, RE: our recommendation to use the universal login page.
My rails app integrated with Auth0 with no issue, however, when I upgraded omniauth-auth0
from 1.4.2
to ~> 2.0.0
it forced me to upgrade omniauth-oauth2
from 1.3.1
to ~> 1.4
then, after upgrading, I started getting this error after social login with Lock 11:
Could not find a valid mapping for path "/auth/oauth2/callback"
My code base has not been touched, I only upgraded the gems.
Full trace:
devise (4.3.0) lib/devise/mapping.rb:49:in `find_by_path!'
devise (4.3.0) lib/devise/omniauth.rb:17:in `block in <top (required)>'
omniauth (1.6.1) lib/omniauth/strategy.rb:478:in `call'
omniauth (1.6.1) lib/omniauth/strategy.rb:478:in `fail!'
omniauth-oauth2 (1.4.0) lib/omniauth/strategies/oauth2.rb:71:in `callback_phase'
omniauth (1.6.1) lib/omniauth/strategy.rb:230:in `callback_call'
omniauth (1.6.1) lib/omniauth/strategy.rb:187:in `call!'
omniauth (1.6.1) lib/omniauth/strategy.rb:167:in `call'
omniauth (1.6.1) lib/omniauth/builder.rb:63:in `call'
rack (1.6.9) lib/rack/deflater.rb:35:in `call'
warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
warden (1.2.7) lib/warden/manager.rb:35:in `catch'
warden (1.2.7) lib/warden/manager.rb:35:in `call'
rack (1.6.9) lib/rack/etag.rb:24:in `call'
rack (1.6.9) lib/rack/conditionalget.rb:25:in `call'
rack (1.6.9) lib/rack/head.rb:13:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/flash.rb:260:in `call'
rack (1.6.9) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.6.9) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/cookies.rb:560:in `call'
activerecord (4.2.8) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.2.8) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.2.8) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
activesupport (4.2.8) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
activesupport (4.2.8) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (4.2.8) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/reloader.rb:73:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.2.8) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.2.8) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.2.8) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.2.8) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.2.8) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.2.8) lib/rails/rack/logger.rb:20:in `call'
request_store (1.3.2) lib/request_store/middleware.rb:9:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.6.9) lib/rack/methodoverride.rb:22:in `call'
rack (1.6.9) lib/rack/runtime.rb:18:in `call'
activesupport (4.2.8) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
rack (1.6.9) lib/rack/lock.rb:17:in `call'
dragonfly (1.1.3) lib/dragonfly/cookie_monster.rb:9:in `call'
actionpack (4.2.8) lib/action_dispatch/middleware/static.rb:120:in `call'
font_assets (0.1.14) lib/font_assets/middleware.rb:17:in `block in call'
font_assets (0.1.14) lib/font_assets/middleware.rb:40:in `do_request'
font_assets (0.1.14) lib/font_assets/middleware.rb:16:in `call'
rack (1.6.9) lib/rack/sendfile.rb:113:in `call'
lib/rack/seoredirect.rb:20:in `call'
sentry-raven (2.7.1) lib/raven/integrations/rack.rb:51:in `call'
railties (4.2.8) lib/rails/engine.rb:518:in `call'
railties (4.2.8) lib/rails/application.rb:165:in `call'
railties (4.2.8) lib/rails/railtie.rb:194:in `public_send'
railties (4.2.8) lib/rails/railtie.rb:194:in `method_missing'
rack (1.6.9) lib/rack/deflater.rb:35:in `call'
rack (1.6.9) lib/rack/lock.rb:17:in `call'
rack (1.6.9) lib/rack/content_length.rb:15:in `call'
rack (1.6.9) lib/rack/handler/webrick.rb:88:in `service'
/Users/Apple/.rvm/rubies/ruby-2.2.7/lib/ruby/2.2.0/webrick/httpserver.rb:138:in `service'
/Users/Apple/.rvm/rubies/ruby-2.2.7/lib/ruby/2.2.0/webrick/httpserver.rb:94:in `run'
/Users/Apple/.rvm/rubies/ruby-2.2.7/lib/ruby/2.2.0/webrick/server.rb:294:in `block in start_thread'
The README.md file spells URL as "url". Since URL stands for Uniform Resource Locator, it should be always uppercase, unless its a variable name.
Hi
I have been following the tutorial for using Auth0 with Rails here https://auth0.com/docs/quickstart/webapp/rails/01-login
The issue I have is that most Rails applications (and ours is one of them) , if I hit a URL that needs a login, it will redirect me to the login screen, and then upon successful authentication continue on it’s merry journey.
I haven’t found anything in the documentation about how to do that redirect?
I have had to construct a URL myself … that seems to work … but it’s been a bit of trial and error and I would have thought that there was a better Rails way.
state = SecureRandom.hex
session['omniauth.state'] = state
callback_url = auth_auth0_callback_url
url = "https://#{ApplicationConfig::Auth0::DOMAIN}/authorize?response_type=code&client_id=#{ApplicationConfig::Auth0::CLIENT_ID}&redirect_uri=#{callback_url}&state=#{state}&scope=openid profile email"
So is there a better way of doing this?
Cheers
Shane
After the rails steps, got SSL error. Need to add ssl_fix by default as described here
We'd like to redirect the user to the Auth0 login page from a GET request, it would be nice if we could reuse omniauth-auth0's logic for generating an appropriate URL.
A method that can be used to generate an appropriate Auth0 URL for the login page.
Figuring out the logic to generate the URL ourselves, but since it's been solved by this gem already it would be nice to be able to reuse that logic.
It's also possible to use the repost
gem to simulate a redirect to POST /auth/auth0
, but that's not ideal.
There is an existing similar issue, but it was closed without providing a complete solution #105.
We're using omniauth-auth0 gem in a sinatra application, when the gem redirects to auth0 for authenticating a user it sends a parameter for callback_uri, by default it's /auth/auth0/callback
.
Our service will be served under a path prefix, meaning all paths will have a fixed prefix "/service-name/" so we'll need to specify this callback_uri parameter.
With the current implementation the user will be redirected back to /auth/auth0/callback
which doesn't hit the service in the first place, as /auth
doesn't start with the service prefix so it won't map to it.
I tried to search for a way in the past couple days related to omniauth or omniauth-auth0 but failed to find any thing that works.
After bundle update...
Fetching jwt 1.5.6 (was 2.1.0)
Installing jwt 1.5.6 (was 2.1.0)
Fetching faraday 0.12.2 (was 0.13.1)
Installing faraday 0.12.2 (was 0.13.1)
Fetching mime-types 2.99.3 (was 3.1)
Installing mime-types 2.99.3 (was 3.1)
Fetching rest-client 1.8.0 (was 2.0.2)
Installing rest-client 1.8.0 (was 2.0.2)
Sample project on Windows require this gem, which is commented by default. Need to add to Readme.MD
note like this If you are using Windows, uncomment tzinfo-data gem in the gemfile
When adding scopes they aren't being included in the JWT. Oddly, some appear to work and others don't. For example, the scopes 'openid email profile offline_access' all pass fine, but if I add a scope like "read:stats" or "read:users" it doesn't appear in the JWT. And these scopes that arent being added to the JWT are listed under permissions in both Auth0 Management API and my custom localhost api.
For the scope to be included in the JWT.
Here is my builder.
use OmniAuth::Builder do
provider(
:auth0,
ENV['AUTH0_ADMIN_CLIENT_ID'],
ENV['AUTH0_ADMIN_CLIENT_SECRET'],
ENV['AUTH0_DOMAIN'],
name: 'admin_auth',
origin_param: false,
callback_path: '/admin/callback',
authorize_params: {
scope: 'openid read:users email profile offline_access',
audience: ENV.fetch('AUTH0_AUDIENCE') { 'http://localhost:3500' },
}
)
end
omniauth (2.1.0)
hashie (>= 3.4.6)
rack (>= 2.2.3)
rack-protection
omniauth-auth0 (3.0.0)
omniauth (~> 2.0)
omniauth-oauth2 (~> 1.7)
omniauth-oauth2 (1.7.2)
oauth2 (~> 1.4)
omniauth (>= 1.9, < 3)
https://auth0.com/docs/quickstart/webapp/rails
step 5. Triggering login manually or integrating the Auth0Lock
when I try the Tutorial and I select custon UI view this is how it says in the tutotial it should look
Using the code this is how it looks on my localhost
In the code I don't see any buttons for facebokk or the text "Use a Social or Enterprise connection"
so I think that something is updated, the picture or the code..
Does this gem support the passwordless sms connection? Everything works fine with the username password connection. However, when I try to force SMS connections through ?connection=sms
I get redirected to https://login.auth0.com/lo/wsfed
with the error message Cannot GET /wsfed
.
I am trying to setup like so:
AUTH0_SETUP = lambda do |env|
req = Rack::Request.new(env)
namespace = 'foobar.auth0.com'
site = "https://#{namespace}"
client_info_querystring = "..."
env['omniauth.strategy'].options[:client_id] = 'some-id'
env['omniauth.strategy'].options[:client_secret] = 'some-secret'
env['omniauth.strategy'].options[:namespace] = namespace
env['omniauth.strategy'].options[:provider_ignores_state] = { callback_path: "/auth/auth0/callback" }
env['omniauth.strategy'].options[:client_options]
.merge!(site: site,
authorize_url: "#{site}/authorize?#{client_info_querystring}",
token_url: "#{site}/oauth/token?#{client_info_querystring}",
userinfo_url: "#{site}/userinfo")
end
Rails.application.config.middleware.use OmniAuth::Builder do
provider :auth0, setup: AUTH0_SETUP
end
but this does not work because OmniAuth::Strategies::Auth0::initialize
depends on args
and has a check on argument
fail(ArgumentError.new("Received wrong number of arguments. #{args.inspect}")) if @options[: namespace].nil?
but in case of setup
args will be [{setup: <Proc>}]
and will not have the namespace
it needs
other Omniauth strategies like facebook
use the option
class method to configure it
and do not use the initialize
method
Devise support might be integrated in this gem or in a separate one. Find out which is best.
Hey guys, in that file https://github.com/auth0/omniauth-auth0/blob/master/lib/omniauth-auth0/version.rb, you are bumping the version of the Auth0, not the OmniAuth0, thus when both gems are used it generates a warning.
Hello, maintainer of OmniAuth here.
I just wanted to make the maintainers of this gem aware of the discussion that I have opened regarding v2.0.0 of OmniAuth. I invite you to join in and voice any concerns you may have here: omniauth/omniauth#1017
After following the setup instructions for Rails and adding the button. The button does nothing. Note that I have a fully functional rails 5 application that works just fine with exact same code. May be the documentation needs to reflect this?
<%= button_to 'Login', '/auth/auth0', method: :post %>
However this works just fine:
<%= button_to "Login", "/auth/auth0", method: :post, data: { turbo: false } %>
Expected to redirect to Auth0 Login page
Where possible, please include:
Withoutturbo:false
all I get in logs is:
web | Started POST "/auth/auth0" for ::1 at 2022-11-21 22:58:24 -0500
web | D, [2022-11-21T22:58:24.501212 #45225] DEBUG -- omniauth: (auth0) Request phase initiated.
Hi, I'm using this ruby gem in conjunction with Auth0 lock widget for authentication.
Gem is configured as
provider(
:auth0,
auth0_config['client_id'],
auth0_config['client_secret'],
auth0_config['domain'],
{
callback_path: '/auth/auth0/callback',
authorize_params: {
scope: 'openid'
}
}
)
The auth0_config
is a hash with the auth0 configuration in my application.
Once i successfully log in, from the rails side i can see the omniauth.auth
request variable. but this is of the kind of.
I omitted the non relevant pieces. I have an id token, but the access_token, which i believe to be the "token"
in the hash is not a jwt token.
How can i get a JWT token i can use for authentication ?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.