Using Auth0 as an IdP¶
Follow the instructions below to use Auth0 as the Identity Provider (IdP) to authenticate the APIs that belong to a specific Organization:
Step 1 - Create an Organization¶
Create an organization in Auth0.
For testing purposes let's create an organization named org1
.
Step 2 - Create a user¶
If you have not created the user already, create a user.
Step 3 - Assign the user to the organization¶
Assign the member to the Organization, which you created in Step 1.
Step 4 - Enable a connection¶
Add a connection for your organization as Username-Password-Authentication.
Step 5 - Create an application¶
-
Let's create an application as
My App
. -
Configure the application.
Configure the organization settings that correspond to the application.
- Define the type of users that will log in to this application -
Individuals
- Define the type of users that will log in to this application -
Step 5 - Add a custom claim for the organization¶
You need to add a custom claim to the tokens to identify the organization.
-
Create a custom action for the login flow.
- Go to Actions > Flows > Login > Custom and click the + button in the top-right corner, then select Build custom.
- Create an action named
addOrgclaim
. -
Add the follwing code to the editor and Deploy the action. You should add a proper organization identfier as the
orgId
claim value.exports.onExecutePostLogin = async (event, api) => { api.idToken.setCustomClaim('orgId', 'org1'); };
Field Description orgId (claim name)
Custom claim name to identify the organization. This should be orgId
org1 (claim value)
A value to identify the organization. You can add any identifier for the organization like organization name.
-
Apply the custom action to the Post Login flow.
- Go to Actions > Flows > Login > Custom and select the created action
addOrgclaim
and drop that to the flow.
- Go to Actions > Flows > Login > Custom and select the created action
Step 6 - Add a new token issuer for the IDP¶
-
Access the endpoints that correspond to the application, which is available in the Advanced Settings section.
-
Create two file named
idp-system-token-issuer.yaml
andidp-org-token-issuer.yaml
add the following content to it.Parameter Description issuer:
The IdP's issuer URL. jwksEndpoint:
The URL of the IdP's JSON Web Key Set (JWKS) endpoint. usernameClaim:
The claim in the IdP's token that represents the user's username. organizationClaim:
The claim in the IdP's token that represents the user's organization, This should always be orgId
.organization:
The organization of IDP. To invoke system APIs, this should be apk-system
. To invoke particular organizaiton's APIs, this should be organization claim value.apiVersion: dp.wso2.com/v1alpha1 kind: TokenIssuer metadata: name: auth0-idp-issuer spec: claimMappings: - localClaim: x-wso2-organization remoteClaim: orgId consumerKeyClaim: azp issuer: https://<auth0domain>.auth0.com/ name: new-service-provider organization: apk-system scopesClaim: scope signatureValidation: jwks: url: "https://<auth0domain>.auth0.com/.well-known/jwks.json" targetRef: group: gateway.networking.k8s.io kind: Gateway name: default
apiVersion: dp.wso2.com/v1alpha1 kind: TokenIssuer metadata: name: auth0-idp-issuer spec: claimMappings: - localClaim: x-wso2-organization remoteClaim: orgId consumerKeyClaim: azp issuer: https://<auth0domain>.auth0.com/ name: new-service-provider organization: default scopesClaim: scope signatureValidation: jwks: url: "https://<auth0domain>.auth0.com/.well-known/jwks.json" targetRef: group: gateway.networking.k8s.io kind: Gateway name: default
-
Run the following commands to add the token Issuers to APK.
kubectl apply -f idp-system-token-issuer.yaml
kubectl apply -f idp-org-token-issuer.yaml
Optional
If you need to configure the IdP as the primary IdP instead of adding multiple IdPs, execute the following steps as the 6th step.
Step 6 - Update the Helm Chart¶
- Follow the instructions outlined in Customize Configurations. These instructions will guide you through the process of acquiring the
values.yaml
file. Open thevalues.yaml
file. - Update the IDP related configurations in the
idp
section. -
Create a K8s Secret with retrieved
clientId
andclientSecret
from Step 4 with nameapk-idp-secret
.idp: issuer: "" jwksEndpoint: "" usernameClaim: "" organizationClaim: ""
organizationClaim
- This should be the custom organization claim(orgId
) which configured in Step 5.1.- Update all other values based on the Endpoint details that you came across in Step 6.1.
Step 6.1 - Install WSO2 APK¶
helm install <helm-chart-name> .
helm install apk-test .
Step 7 - Generate an Access Token¶
- Open Postman and create a new request to generate the auth code token.
- Navigate to the Authorization tab of the request.
-
Make sure that the token generation call has the same information that was entered in the Helm Chart in Step 6.
Auth URL
Access Token URL
Client ID
Client Secret
Username
Password
CallBack Url
Scopes - (rest API related scopes + openid)
-
Click Get New Access Token.
- You will receive two tokens, namely the access token and ID token, when the token call is successful.
- Copy the ID token that you see listed as the
id_token
.
Step 8 - Invoke the APIs¶
Use the JWT token that you received in the previous step to invoke the System APIs and other APIs.