Using Auth0 as an IdP¶

Follow the instructions below to use Auth0 as the Identity Provider (IdP) to authenticate the APIs that belong to a specific Organization:

Step 1 - Create an Organization¶

Create an organization in Auth0.

For testing purposes let's create an organization named org1.

Step 2 - Create a user¶

If you have not created the user already, create a user.

Step 3 - Assign the user to the organization¶

Assign the member to the Organization, which you created in Step 1.

Step 4 - Enable a connection¶

Add a connection for your organization as Username-Password-Authentication.

Step 5 - Create an application¶

Create an application.

Let's create an application as My App.
Configure the application.

Configure the organization settings that correspond to the application.
- Define the type of users that will log in to this application - Individuals

Step 5 - Add a custom claim for the organization¶

You need to add a custom claim to the tokens to identify the organization.

Create a custom action for the login flow.

Go to Actions > Flows > Login > Custom and click the + button in the top-right corner, then select Build custom.
Create an action named addOrgclaim.

Add the follwing code to the editor and Deploy the action. You should add a proper organization identfier as the orgId claim value.

exports.onExecutePostLogin = async (event, api) => {
  api.idToken.setCustomClaim('orgId', 'org1');
};

Field	Description
`orgId (claim name)`	Custom claim name to identify the organization. This should be `orgId`
`org1 (claim value)`	A value to identify the organization. You can add any identifier for the organization like organization name.

Apply the custom action to the Post Login flow.
- Go to Actions > Flows > Login > Custom and select the created action addOrgclaim and drop that to the flow.

Step 6 - Add a new token issuer for the IDP¶

Access the endpoints that correspond to the application, which is available in the Advanced Settings section.

Create two file named idp-system-token-issuer.yaml and idp-org-token-issuer.yaml add the following content to it.

Parameter	Description
`issuer:`	The IdP's issuer URL.
`jwksEndpoint:`	The URL of the IdP's JSON Web Key Set (JWKS) endpoint.
`usernameClaim:`	The claim in the IdP's token that represents the user's username.
`organizationClaim:`	The claim in the IdP's token that represents the user's organization, This should always be `orgId`.
`organization:`	The organization of IDP. To invoke system APIs, this should be `apk-system`. To invoke particular organizaiton's APIs, this should be organization claim value.

For System APIs

  apiVersion: dp.wso2.com/v1alpha1
  kind: TokenIssuer
  metadata:
    name: auth0-idp-issuer
  spec:
    claimMappings:
    - localClaim: x-wso2-organization
      remoteClaim: orgId
    consumerKeyClaim: azp
    issuer: https://<auth0domain>.auth0.com/
    name: new-service-provider
    organization: apk-system
    scopesClaim: scope
    signatureValidation:
      jwks:
        url: "https://<auth0domain>.auth0.com/.well-known/jwks.json"
    targetRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: default

For Organization APIs

  apiVersion: dp.wso2.com/v1alpha1
  kind: TokenIssuer
  metadata:
    name: auth0-idp-issuer
  spec:
    claimMappings:
    - localClaim: x-wso2-organization
      remoteClaim: orgId
    consumerKeyClaim: azp
    issuer: https://<auth0domain>.auth0.com/
    name: new-service-provider
    organization: default
    scopesClaim: scope
    signatureValidation:
      jwks:
        url: "https://<auth0domain>.auth0.com/.well-known/jwks.json"
    targetRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: default

Run the following commands to add the token Issuers to APK.

kubectl apply -f idp-system-token-issuer.yaml

kubectl apply -f idp-org-token-issuer.yaml

Optional

If you need to configure the IdP as the primary IdP instead of adding multiple IdPs, execute the following steps as the 6^th step.

Step 6 - Update the Helm Chart¶

Follow the instructions outlined in Customize Configurations. These instructions will guide you through the process of acquiring the values.yaml file. Open the values.yaml file.
Update the IDP related configurations in the idp section.
Create a K8s Secret with retrieved clientId and clientSecret from Step 4 with name apk-idp-secret.
```
idp:
  issuer: ""
  jwksEndpoint: ""      
  usernameClaim: ""
  organizationClaim: ""
```
- organizationClaim - This should be the custom organization claim(orgId) which configured in Step 5.1.
- Update all other values based on the Endpoint details that you came across in Step 6.1.

Step 6.1 - Install WSO2 APK¶

Format

helm install <helm-chart-name> .

Example

helm install apk-test .

Step 7 - Generate an Access Token¶

Open Postman and create a new request to generate the auth code token.
Navigate to the Authorization tab of the request.
Make sure that the token generation call has the same information that was entered in the Helm Chart in Step 6.
- Auth URL
- Access Token URL
- Client ID
- Client Secret
- Username
- Password
- CallBack Url
- Scopes - (rest API related scopes + openid)
Click Get New Access Token.
You will receive two tokens, namely the access token and ID token, when the token call is successful.
Copy the ID token that you see listed as the id_token.

Step 8 - Invoke the APIs¶

Use the JWT token that you received in the previous step to invoke the System APIs and other APIs.