The login method is using /oauth/ro which has been deprecated and now disabled for new clients following https://auth0.com/docs/clients/client-grant-types, we should update the library to use oauth/token endpoint instead of /ro.

Calling the logout_url method doesn't include client_id parameter in the resulting URL.

According to https://auth0.com/docs/logout, the Client ID parameter specifies the application to log the user out of.

As it stands the following code returns "https://mydomain.auth0.com/logout?returnTo=/". Shouldn't it return "https://mydomain.auth0.com/logout?returnTo=/&client_id=XXXXXXXXXXXX"?

Auth0Client.new(
    client_id: 'XXXXXXXXXXXX', 
    client_secret: 'XXXXXXXXXXXX',
    api_version: 1,
    domain: 'mydomain.auth0.com'
).logout_url('/').to_s

Expected Output: "https://mydomain.auth0.com/logout?returnTo=/&client_id=XXXXXXXXXXXX"
Actual output: "https://mydomain.auth0.com/logout?returnTo=/"

It would appear the login function in authentication_endpoints.rb, which POSTs to oauth/token does not appear to allow for an optional refresh token field.

According to the Auth0 docs, this endpoint is also used to get a new access token via refresh token if one is available (using refresh_token in the grant_field option as well as providing the refresh_token as a top level param).

To me, this means that there is no way to use a refresh token to get a new access token with this API wrapper.

Is this correct?

Would it be possible to release a new version of this library with the work done in #129 (and subsequent fixes I see on master)? Is the library in a state where it is able to be released?

Thanks!

Greetings fellow Auth0 geeks,

I have an existing Auth0 account with multiple clients and conditional post email verification redirects specified through the Auth0 dashboard.
When triggering a resend verification email job via the Ruby V2 client, the redirect to URL points to the default URL, not the one specified for the given client_id.

This is not the behavior in the V1 implementation where the client_id is correctly applied and the redirect follows to the specified URL.

Looking at the docs for Send a "verify email address" email a client_id body attribute is accepted, where as the Ruby implementation (to my understanding) does not apply the client_id:

def send_verification_email(user_id)
  raise Auth0::InvalidParameter, 'Must specify a user id' if user_id.to_s.empty?
  request_params = {
    user_id: user_id
  }
  path = "#{jobs_path}/verification-email"
  post(path, request_params)
end

Naively, should we add an optional client_id argument and add it to the request_params if the value is present?

Thanks for your feedback

When using #remove_role_permissions, I hit:

NameError: uninitialized constant Auth0::Mixins::Validation::Permission

It seems to me that's because this file misses:

require 'auth0/mixins/permission_struct'

If anyone runs through this until a patch: requiring permission_struct in your code before calling #remove_role_permissions does the trick.

Read carefully.

Remove the examples directory from this repository because it is completely unrelated to this project:

• examples/ruby-on-rails-webapp is a omniauth-auth0 example, so it should go straight to the examples directory of omniauth-auth0.
• examples/ruby-on-rails-api is an ruby-jwt example, but because this is a general purpose library and not only for auth0, and most importantly we don't own that repository, create a new repository auth0/rails-jwt-example or rails-jwt-seed.

Modify the example packager/seed project/docs etc with the new links.

The tickets#post_password_change requires a password for requesting a password reset ticket.

We need to be able to request ticket that redirect to password reset page so user can choose their new password.

According to docs password is an optional parameter.

Docs: https://auth0.com/docs/api/management/v2#!/Tickets/post_password_change

Hello and thank you for this library, super helpful.

We are trying to upgrade to Ruby 2.5.1 but we are experiencing failures on Circle CI.
What Ruby version are you running on Travis for this gem?

What would be the best way for us to help you with that? My plan would be:

• Create a new ruby (maybe rails) app
• Create a new open Auth0 env for such testing (do you have an open one already?)
• Setup Circle CI
• Add a test that fails with 2.5.1

but that requires a bit of investment on our side so before moving forward I would love to get some feedback from you on that.

Thank you, much appreciated

Apparently header information is being clobbered between 2 separate instances of clients.

I need V2 client for user management, and V1 client to generate impersonation links.
When I have this:

Rails.application.auth0_api_client = Auth0Client.new(
    :api_version => 2,
    :token => ENV['AUTH0_JWT_TOKEN'],
    :domain => ENV['AUTH0_DOMAIN']
)

Rails.application.auth0_auth_client = Auth0Client.new(
    :api_version => 1,
    :domain => ENV['AUTH0_DOMAIN'],
    :client_id => ENV['AUTH0_API_KEY'],
    :client_secret => ENV['AUTH0_API_SECRET']
)

Rails.application.auth0_api_client acts as if it was the latter. This is potentially a security issue, on top of not allowing us to manage users and provide a link to impersonate. At the root of this issue is that V2 JWT token does not work with impersonation API, which should be in V2 afterall.

Would be helpful if you are able to control the timeout of the HTTP requests the API client is making.

ruby-on-rails-api has a lot of outdated dependencies. (For example, rails itself). (AUTH-3466)

I was hoping someone could explain why this happened. I understand that there needs to be a client grant if I'm trying to get an access_token signed by auth0 to call the resource_server.
However, the code below is getting and id_token signed with my client secret which never calls any resource server. I'm not sure why adding the resource server to the client via the auth0 management api would cause an unrelated application/auth flow to go down.

Below is the minimum repro case:

2.3.1 :007 > client = Auth0Client.new(
2.3.1 :008 >     client_id: '04a3QIRE2b0dj8s83WxdoXpdrEXAMPLE',
2.3.1 :009 >     client_secret: 'CIxYL_Zjt_cWWMxqtvgTyHJVYHk5-CPer2j5p-A2lq9dILEF_PpBrhyNMEXAMPLE',
2.3.1 :010 >     domain: 'domain.auth0.com',
2.3.1 :011 >     api_version: 1
2.3.1 :012?>   )
 => #<Auth0Client:0x007fd675bcbc10 @domain="domain.auth0.com", @base_uri="https://domain.auth0.com", @headers={"Content-Type"=>"application/json", "User-Agent"=>"Ruby/2.3.1", "Auth0-Client"=>"eyJuYW1lIjoicnVieS1hdXRoMCIsInZlcnNpb24iOiI0LjEuMCJ9", "Authorization"=>"Bearer h5XMQmo6YWlDtXaG99Spflmw74L8FdtMqSCCtysLRbFMLGVAMa3Msy6NZZvNmVcd"}, @timeout=10, @client_id="04a3QIRE2b0dj8s83WxdoXpdrEXAMPLE", @client_secret="CIxYL_Zjt_cWWMxqtvgTyHJVYHk5-CPer2j5p-A2lq9dILEF_PpBrhyNMEXAMPLE", @token="h5XMQmo6YWlDtXaG99Spflmw74L8FdtMqSCCtysLRbFMLGVAMa3Msy6NZZvNmVcd">

# patch client to have a resource server
Request URL:https://domain.auth0.com/api/v2/clients/04a3QIRE2b0dj8s83WxdoXpdrEXAMPLE
Request Method:PATCH
Status Code:200 OK

{
  "resource_servers":[
   {
     "identifier": "https://resource_identifier/",
     "scopes": []
   }
   ]
}

2.3.1 :013 > client = Auth0Client.new(
2.3.1 :014 >     client_id: '04a3QIRE2b0dj8s83WxdoXpdrEXAMPLE',
2.3.1 :015 >     client_secret: 'CIxYL_Zjt_cWWMxqtvgTyHJVYHk5-CPer2j5p-A2lq9dILEF_PpBrhyNMEXAMPLE',
2.3.1 :016 >     domain: 'domain.auth0.com',
2.3.1 :017 >     api_version: 1
2.3.1 :018?>   )
Auth0::AccessDenied: {"error":"access_denied","error_description":"Client is not authorized to access \"https://resource_identifier/\". You might probably want to create a \"client-grant\" associated to this API. See: https://auth0.com/docs/api/v2#!/Client_Grants/post_client_grants"}
    from ~/.rvm/gems/ruby-2.3.1/gems/auth0-4.1.0/lib/auth0/mixins/httpproxy.rb:24:in `block (2 levels) in <module:HTTPProxy>'
    from ~/.rvm/gems/ruby-2.3.1/gems/auth0-4.1.0/lib/auth0/api/authentication_endpoints.rb:21:in `obtain_access_token'
    from ~/.rvm/gems/ruby-2.3.1/gems/auth0-4.1.0/lib/auth0/mixins/initializer.rb:79:in `initialize_v1'
    from ~/.rvm/gems/ruby-2.3.1/gems/auth0-4.1.0/lib/auth0/mixins/initializer.rb:39:in `initialize_api'
    from ~/.rvm/gems/ruby-2.3.1/gems/auth0-4.1.0/lib/auth0/mixins/initializer.rb:17:in `initialize'
    from (irb):13:in `new'
    from (irb):13
    from ~/.rvm/rubies/ruby-2.3.1/bin/irb:11:in `<main>'
2.3.1 :019 >

Description

Unable to initialize Auth0Api
for obtain_access_token

tried various options include eg. Auth0Api.initialize(options = {})
Auth0Api.new(options = {})

Environment

• Ruby Auth0 version: 4.5.0
• Ruby version: 2.4.4
• Rails version (if applicable): 5.1

I think the user can generate the docs or use http://www.rubydoc.info/github/auth0/ruby-auth0

We took a look to the API V2 and found some endpoints that are not implemented.

Our plan is to implement those endpoints and review the already implemented ones.

Endpoints to be implemented

• Device Credentials (3 endpoints)
• Rules (5 endpoints)
• Email (4 endpoints)
• Tickets (2 endpoints)

Methods to be implemented

• Jobs

  • create_job

    This method needs to be implemented using multipart upload, HTTParty doesn't support it. We think that we can switch to use HTTMultiParty which supports multipart upload.

We also found that the API code is not documented and the code style can be improved. We would suggest to:

• Add documentation to the code, we could use TomDoc, recommended by Github ruby style guide
• Integrate Rubocop to improve the API code style.

Regarding the integration tests, we would like to add more tests for all the endpoints in the API.
Currently just the clients, connections and users are tested. We are planning to create integration tests for all endpoints, against the real Auth-0 API in order to have a better integration scenario.

We'll start working on fixing the code style in order to clean the code base first.

We would love to hear your feedback on any of these topics.

Description

When initializing the client, the audience cannot be set.

If you try to use the default Auth0 Management API system api against a custom domain, you have to specify an audience that is different than the domain. You are currently unable to do this.

Prerequisites

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation (repo README or Quickstart)?
• Did you check the Auth0 Community?
• Are you reporting this to the correct repository? See also the OmniAuth-Auth0 strategy for logging in with Rails.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

Please provide the following:

• Ruby Auth0 version: current master at the time of issue creation (4.8.0?)
• Ruby version:
• Rails version (if applicable):
• Browser version (if applicable):
• Additional gems that might be affecting your instance

Reproduction

The code (which tries to pass an audience):

Auth0Client.new(
          client_id: '...',
          client_secret: '...',
          domain: 'accounts.my-org.com',
          audience: 'https://my-org.auth0.com/api/v2/',
          api_version: 2

results in the request body:

{
  "grant_type":"client_credentials",
  "client_id":"...",
  "client_secret":"...",
  "audience":"https://accounts.my-org.com/api/v2/"
}

The audience appears to be built based on the domain with no way to override it.

Is there a roadmap to include prompts endpoints (new API feature) in the gem?
That would be awesome :)

Can the version 4 changes be added to the changelog and a tag pushed. Would like to know what's changed.

Wouldn't it be great to document what changed between gem releases?

https://github.com/skywinder/github-changelog-generator seems like a helpful tool (but I haven't yet used it myself)

I saw this error from Auth0Client a couple of times in the past week:

undefined method code' for nil:NilClass`

auth0/mixins/httpproxy.rb in block (2 levels) in <module:HTTPProxy> at line 20

https://github.com/auth0/ruby-auth0/blob/master/lib/auth0/mixins/httpproxy.rb#L20

For some reason, result is nil in httpproxy.rb here.

This occured from a call to Auth0Client.new(**options**).user(**user_uid**). I haven't been able to reproduce this myself, so I'm not sure what the cause is here. Attempts to re-use the same user uid manually return successful results.

I understand from this answer that the only way to actually replace and not update-merge app_metadata or user_metadata is to call the update function with user_metadata: nil or app_metadata: nil.

But this line prevents from doing that, removing nil-valued fields.

Is there another workaround to actually replace the contents of *_metadata for a user?

I really want to use auth0 for a pet project, but I'm pulling my hair out trying to figure out how this gem needs to be used...
Perhaps you could at least add a link to the rubydoc repo. I also don't understand why the examples don't actually use auth0...

Description

There's no method in the gem to update a resource server (e.g. to call PATCH /api/v2/resource-servers/[id]); corresponding methods exist for other endpoints such as Clients.

I have a WIP PR for this.

Prerequisites

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation (repo README or Quickstart)?
• Did you check the Auth0 Community?
• Are you reporting this to the correct repository? See also the OmniAuth-Auth0 strategy for logging in with Rails.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

Please provide the following:

• Ruby Auth0 version: 4.6.0
• Ruby version: 2.4.4p296
• Rails version (if applicable): N/A
• Browser version (if applicable): N/A
• Additional gems that might be affecting your instance: N/A

Reproduction

irb(main):001:0> connection = Auth0::Client.new(...)
irb(main):002:0> connection.patch_resource_server(...)
NoMethodError: undefined method `patch_resource_servers' for #<Auth0::Client:0x00000000073974a0>

I don't know if it's an issue with the gem or Auth0 backend.

When I add a permission to a role, and the permission has a dot in the name, then the description is not added to the role's permission object.

If I remove the dot from the name of the role, it gets back to normal behaviour. Look at that (and users.list:read:current_user_organizations has a description by itself. If I remove the dot in the name, it works ok):

Is it expected?

Currently the Auth API is only available in V1 mode: https://github.com/auth0/ruby-auth0/blob/master/lib/auth0/mixins/initializer.rb#L19

But the Auth API is independent of our V1/V2 API, so it should also be available when working in V2 mode.

Description

The endpoint for creating a user lists the name field as optional:

https://auth0.com/docs/api/management/v2#!/Users/post_users

But the create_user method requires a name parameter:

https://github.com/auth0/ruby-auth0/blob/master/lib/auth0/api/v2/users.rb#L48

I would think the implementation of the gem should match the reality of the endpoint. For instance, perhaps connection should be a positional or required named parameter since it is required.

Prerequisites

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation (repo README or Quickstart)?
• Did you check the Auth0 Community?
• Are you reporting this to the correct repository? See also the OmniAuth-Auth0 strategy for logging in with Rails.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

• Ruby Auth0 version: master

https://github.com/auth0/ruby-auth0/network/dependencies

Greetings - it is possible to obtain an APIv2 token using the ruby library? Basically, I want to call a method that makes the request documented here:

https://auth0.com/docs/api/management/v2/tokens#automate-the-process

Is there a way to do this currently with this library?

Issue

When using #remove_role_permissions, I get:

warning: Overriding "Content-Type" header "application/json" with "application/x-www-form-urlencoded" due to payload
Auth0::BadRequest: {"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Expected type string but found type array' on property permissions[0].resource_server_identifier (The resource server that the permission is attached to). (also) Payload validation error: 'Expected type string but found type array' on property permissions[0].permission_name (The name of the permission to perform the action).","errorCode":"invalid_body"}

even though my array looks fine to me:

[
    [0] #<Struct:Permission:0x5586cd6267a0
        permission_name = "users:read:co_members",
        resource_server_identifier = "https://xxx/v1/"
    >,
    [1] #<Struct:Permission:0x5586cd626688
        permission_name = "users:read:current_user",
        resource_server_identifier = "https://xxx/v1/"
    >
]

Fix

In my understanding, it is due to the fact that this line uses body instead of body.to_json.

That would be an easy fix if it's ok.

Dedicate an auth0 account for tests, keys can be encrypted in .travis.yml, write tests that actually do stuff with the API.

What do you think?

Hey guys,

This gem is currently broken with the latest Ruby version (2.4.0) as Rest-client ver. 1.8.0 fails to bind with OpenSSL and all Auth0 API requests can not be performed (https://github.com/auth0/ruby-auth0/blob/ee4213b288726cbd951b1ddd7823b673dee29e24/lib/auth0/mixins/httpproxy.rb).

The only solution I could find is building Ruby with an old OpenSSL version (before 1.1.x), but in reality it's a really bad solution - especially on Backend servers expose to the whole world.

Step to recreate: Follow "Quick Start - Ruby On Rails" guide (https://auth0.com/docs/quickstart/webapp/rails) with ruby version 2.4.0

The reported issue on Rest-client gem: rest-client/rest-client#569
The fix which was merge to Rest-client HEAD: rest-client/rest-client#573

Can provide more info with a request, yet, recreating the issue is pretty straight forward.

when an API error results in a BadRequest exception being thrown, client code using the gem only has access to the exception message as a ruby hash literal - meaning that eval must be called to change it into a format from which the actual message or error code can be extracted.

While regexp matching could be used as a slightly-more-secure workaround, in cases where either exception error messages could be forwarded to end users or other logic is in place which examines the response body when an exception is thrown, this makes it clunky to work with exception data. If the request body were JSON-encoded before being set to the message of an exception, client code could at least parse the exception's message into a hash when thrown.

I get this error if I call post_password_change with or without a String password:

{
  "statusCode"=>400, 
  "error"=>"Bad Request", 
  "message"=>"Payload validation error: 'Expected type string but found type object' on property new_password (The password to set for the user once the ticket is used).",
  "errorCode"=>"invalid_body"
}

Here is how I am calling the method:

res = auth0_client.post_password_change(
  user_id: user.user_id,
  result_url: ENV['AUTH0_CALLBACK_URL']
)

If I pass a new_password parameter I get the same exact error

res = auth0_client.post_password_change(
  new_password: 'secret',
  user_id: user.user_id,
  result_url: ENV['AUTH0_CALLBACK_URL']
)

Is there an example of this being used inside of a Rails API project? All of the rails api projects just have authenticating the current user.

Hello,

When I run
$ bundle exec rake documentation
I get

bundle exec rake documentation        
rake aborted!
Don't know how to build task 'documentation' (see --tasks)

When I list my tasks using --tasks, documentation does not show up.

Any ideas?

When the local documentation is built, will it be the same as what is on https://www.rubydoc.info/github/auth0/ruby-auth0/Auth0Client? It seems quite incomplete...

Description

There's no method in the gem to get a list of all resource servers (e.g. to call GET /api/v2/resource-servers); corresponding methods exist for other endpoints such as Clients.

I have a PR ready to implement this change, but the contributing guidelines instruct to open an issue first, so, that's what I'm doing.

Prerequisites

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation (repo README or Quickstart)?
• Did you check the Auth0 Community?
• Are you reporting this to the correct repository? See also the OmniAuth-Auth0 strategy for logging in with Rails.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

Please provide the following:

• Ruby Auth0 version: 4.6.0
• Ruby version: 2.4.4p296
• Rails version (if applicable): N/A
• Browser version (if applicable): N/A
• Additional gems that might be affecting your instance: N/A

Reproduction

irb(main):001:0> connection = Auth0::Client.new(...)
irb(main):002:0> apis = connection.resource_servers
NoMethodError: undefined method `resource_servers' for #<Auth0::Client:0x0000000002e740a8>
Did you mean? resource_server

The gem requires the token to be non-null (see this line), whereas it is useful to use the API (specifically those helpers) just to actually get a management token - and thus with a nil token to begin with.

I have this workaround for now, but that would be great to provide a canonical way (or maybe there is and I didn't think of it?):

# Get a brand new management token for this machine to machine app
Auth0Client.new(
        client_id: Rails.application.secrets.auth0_client_id,
        client_secret: Rails.application.secrets.auth0_api_mtom_client_secret,
        domain: Rails.application.secrets.auth0_domain,
        token: 'dummy-but-must-be-non-null-because-of-the-gem'
      ).api_token

hy, i want to login with auth0 but also want to save referral token which is coming in url(myweb.com?referral=xxxx).
Is there anyway to achieve this??

This is preventing callers from passing audience and realm along.

There seem to be a few things that could be addressed here:

• This should include audience and realm
• Remove old /oauth/ro params: connection, id_token, and device
• the default grant_type should be 'password' not password

It looks like there is a typo in the AuthenticationEndpoints.login method.

grand_type: "password",

should be:

grant_type: "password",

Also, the spec has the same issue.

I'm able to use the login method with no problems, so maybe "password" is the default grant_type and this param is ignored?

Description

The URI.escape seems to be marked as obsolete:
https://ruby-doc.org/stdlib-2.7.0/libdoc/uri/rdoc/URI/Escape.html#method-i-escape-label-Description

and when running our Rails app or running the tests for it we're getting a lot of these warnings.

Reproduction

When using the gem with Ruby 2.7 as part of a Rails app I get the following logs output:

.rbenv/versions/2.7.0/lib/ruby/gems/2.7.0/gems/auth0-4.9.0/lib/auth0/mixins/httpproxy.rb:11: warning: URI.escape is obsolete

Environment

• Version of this library used: 4.9.0
• Version of the platform or framework used, if applicable: Rails 6.0.2.1

I think it would be good practice to git tag the released versions of the gem.

Hello, thanks for this library!

I am using it so that our users could be periodically synced in auth0, like so:

file = Tempfile.new("users-to-copy-to-auth0")
users = [] # I get users from the db
begin
  file.write(users.to_s)
  puts "before"
  @@auth0.import_users(file, "Username-Password-Authentication")
  puts "after"
ensure
  file.close
  file.unlink
end

"after" never gets printed, instead I get EOFError: end of file reached after approx 1min, even though the file is just 4.5kb, so it looks like a timeout.

I have to say I'm not a ruby dev, I've just picked up a task that has to be done, this to say that I might be doing something really stupid.

Thanks for any help / hint.

License text needs an update.

We've run into the problem described in #83, and it appears that a fix was committed in April, which consists solely of updating the version of rest-client (#87). Do you have plans to release a new version of the auth0 gem soon?

Hi I'm using the latest gem version (4.9.0). When upgrading to this new version one of my Permission model fails to load.

When I open up rails console and start calling methods on it, it fails as it attempts to call methods on this struct instead https://github.com/auth0/ruby-auth0/blob/master/lib/auth0/mixins/permission_struct.rb.

I can run Object.send(:remove_const, :Permission) and use my model as expected.

Description

When rate limiting is encountered, an Auth0::Unsupported exception is raised, whose message only states {"statusCode":429,"error":"Too Many Requests"}. This is because the exception message is generated from only the HTTP response's status and body.

When the Auth0 API returns a 429 response, it includes details about the limits in HTTP response headers; specifically, as noted in Rate Limits, the X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers.

It would be good to return this information to the caller when raising an exception due to rate limiting.

Prerequisites

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• Did you check the documentation (repo README or Quickstart)?
• Did you check the Auth0 Community?
• Are you reporting this to the correct repository? See also the OmniAuth-Auth0 strategy for logging in with Rails.
• Are there any related or duplicate Issues or PRs for this issue?

Environment

Please provide the following:

• Ruby Auth0 version: 4.6.0
• Ruby version: 2.4.4
• Rails version (if applicable): N/A
• Browser version (if applicable): N/A
• Additional gems that might be affecting your instance: N/A

Reproduction

Easiest way to reproduce is to use a free/trial account with a low rate limit, and then repeatedly call Auth0::Api::V2#logs until an exception is raised.

#191 is closed because of stale but was supposed to stay open.

When using rails s, on the ruby on rails api after running bundle install, the seed project wont start, it think it's creating a new APP.