I'm setting up cypress.io to test a react app. I'm trying to programmatically authenticate with Auth0 Lock so I don't have to test their UI. Here are the steps:
POST to https://[auth0-domain].com/usernamepassword/login
client_id: "",
client_secret: "",
audience: "audience",
redirectUri: "http://[auth0-domain].com:8383/callback",
scope: "openid email crud:all",
protocol: "oauth2",
sso: true,
username: "",
password: "",
connection: "conn",
tenant: "tenant",
popup: false,
Collect returned form data
POST to https://[auth0-domain].com/login/callback
wa=wsignin1.0&wresult=token&wctx=metastuff
The first steps works but in the third step I'm able to post to login/callback but I get an HTML page with this error message:
Looks like something went wrong! There could be a misconfiguration in the system or a service outage. We track these errors automatically, but if the problem persists feel free to contact us with this tracking id: <b>e88e08e43b7cdee78458</b>.<br/>Please try again.
I'm wondering if there is something with Auth0 blocking me from doing this or if I'm not sending the correct data/header.
I ended up using the auth0-js module which calls the auth0 callback. Then I use 'should' to wait for the localStorage to be set:
import auth0 from 'auth0-js';
import url from 'url';
Cypress.Commands.add('login', () => {
const auth = new auth0.WebAuth({
audience: 'http://audience',
domain: 'domain.auth0.com',
clientID: 'qqqqqqqqqqqq',
redirectUri: 'http://localhost/callback',
responseType: 'token id_token',
scope: 'openid email profile name username groups roles',
sso: true
});
auth.login({username: 'username', password: 'pass'});
cy.window().its('localStorage.user_profile').should('exist')
});
Related
My stack: oidc-react, Amazon Cognito
When I log out on the site and call auth.signOut();, the userManager signs out the user and redirects to the login page, but when you log in again by calling auth.signIn(); makes a request to Cognito with the token it has, but won't ask for credentials and logs the user in, I guess because the user still has a running session with the same token, if I am right. It only asks for login credentials after an hour because the session expires after 60minutes.
I want Congito to ask for credentials after signing out. I've tried passing the config these options after some research, but doesn't seem to be working:
revokeTokenTypes: (["access_token", "refresh_token"]),
revokeTokensOnSignout: true,
automaticSilentRenew: false,
monitorSession: true
This is the OIDC setup I pass to the provider:
const oidcConfig: AuthProviderProps = {
onSignIn: (user: User | null) => {
console.log("onSignIn");
},
onSignOut: (options: AuthProviderSignOutProps | undefined) => {
console.log('onSignOut');
},
autoSignIn: false,
loadUserInfo: true,
postLogoutRedirectUri: "localhost:3000/",
automaticSilentRenew: false,
authority: "https://" + process.env.REACT_APP_AWS_COGNITO_DOMAIN,
clientId: process.env.REACT_APP_AWS_COGNITO_CLIENT_ID,
redirectUri: window.location.origin,
responseType: 'code',
userManager: new UserManager({
authority: "https://" + process.env.REACT_APP_AWS_COGNITO_DOMAIN,
client_id: process.env.REACT_APP_AWS_COGNITO_CLIENT_ID!,
redirect_uri: window.location.origin,
revokeTokenTypes: (["access_token", "refresh_token"]),
revokeTokensOnSignout: true,
automaticSilentRenew: false,
monitorSession: true
})
};
AWS Cognito does not yet implement the RP Initiated Logout specification or return an end_session_endpoint from its OpenID Connect discovery endpoint. I expect this is your problem, since the library is probably implemented in terms of these standards.
Instead, AWS Cognito uses these parameters and a /logout endpoint. In my apps I have implemented Cognito logout by forming a URL like this, then redirecting to it by setting location.href to the URL value:
public buildLogoutUrl(): string {
const logoutReturnUri = encodeURIComponent(this._configuration.postLogoutRedirectUri);
const clientId = encodeURIComponent(this._configuration.clientId);
return `${this._configuration.logoutEndpoint}?client_id=${clientId}&logout_uri=${logoutReturnUri}`;
}
This will enable you to end the Cognito session and force the user to sign in again. It will also enable you to return to a specific location within your app, such as a /loggedout view.
I use to login via schema configuration (nuxt.config.js):
strategies: {
/**
* #description OAuth 2.0 authentication scheme
* {#link https://auth.nuxtjs.org/reference/schemes/oauth2}
*/
keycloak: {
_scheme: 'oauth2',
client_id: CLIENT_ID,
authorization_endpoint: NUXT_ENV_AUTH_LOGIN,
userinfo_endpoint: NUXT_ENV_AUTH_USER_INFO_ENDPOINT,
access_token_endpoint: NUXT_ENV_AUTH_ACCESS_TOKEN_ENDPOINT,
response_type: 'token id_token',
token_type: 'Bearer',
token_key: 'access_token',
scope: ['openid', 'profile', 'email'],
},
},
and it work perfectly using the classic form login.
Now i would like to login a user without a form but starting from a valid access_token generated by a CURL (curl or whatever....).
At the moment i can't figure out how to make it work. I tried to invoke methods like explained here https://auth.nuxtjs.org/api/auth/#refreshtokens but without a good result.
What's required to be loggog in, i suppose is to have a token set into localStorage and cookie (as i see post a normal login) and set the user data into the nuxt store.
Thank you for any advice.
I created an app with Vue (including Vue-Router), Node and Express.
I'm trying to secure my App with SSO, using auth0-js.
I created an Auth0-Account and followed this tutorial.
My Login function looks as follows:
import auth0 from 'auth0-js'
var auth = new auth0.WebAuth({
clientID: <my-client-id>,
domain: '<my-auth0-domain>/'
})
export function ssoLogin () {
auth.authorize({
responseType: 'token id_token'
redirectUri: http://localhost:8000/callback,
audience: 'https://<my-auth0-domain>/userinfo',
scope: 'full_access'
})
}
While the login itself works fine, I can't seem to find out how to secure the secret routes of my app.
Following the above mentioned tutorial, I used express-jwt and jwks-rsa, like this:
var jwt = require('express-jwt')
var jwks = require('jwks-rsa')
var authCheck = jwt({
secret: jwks.expressJwtSecret({
cache: true,
rateLimit: true,
jwksRequestsPerMinute: 5,
jwksUri: "https://<my-auth0-domain>/.well-known/jwks.json"
}),
audience: <my-client-id>,
issuer: "https://<my-auth0-domain>/",
algorithms: ['RS256']
})
app.post('/send-sensitive-data', authCheck, function (req, res) {
// this post requests sends some data, and should only do so, if a user is logged in
})
However, even if I'm logged in via SSO, when I try to access the sensitive data, I obtain
UnauthorizedError: No authorization token was found
I have no idea where I went wrong. This seems like a very stupid question, but: Can somebody tell me, where the authorization token must be, so it will be found?
I would really appreciate if someone helped me by this or gave me a hint.
Please feel free to ask for more code snippets, if that might help.
Okay, I found the answer on my own ... but in case anyone is making the same mistake as I'm doing: I forgot to set the header in the axios.post request, like that:
axios({
method: 'post',
url: '/send-sensitive-data',
data: somedata,
headers: {
Authorization: 'Bearer ' + getAccessToken()
}
})
.then(response => {
// do something with the response
})
I've successfully used the oidc-client-js library by Brock Allen to authenticate my SPA app with Auth0 acting as my Identity Provider. However, when I try to use the library to sign the user out mgr.signoutRedirect({state: "my test"}), I receive an error: no end session endpoint.
A look at the metadata endpoint shows that there is a revocation endpoint.
I've configured the oidc-client-js library like so:
var settings = {
authority: 'https://susqsofttest.auth0.com/.well-known/openid-configuration',
client_id: 'my client id',
redirect_uri: 'http://localhost:8080/signin-oidc',
post_logout_redirect_uri: 'http://localhost:8080/logout',
response_type: 'id_token token',
scope: 'openid profile email',
revokeAccessTokenOnSignout: true,
automaticSilentRenew: true,
filterProtocolClaims: true,
loadUserInfo: true
};
var mgr = new UserManager(settings);
Any ideas of what I'm missing?
You can give metadata for oidc client by adding metadata section to user manager settings.
var settings = {
authority: 'https://susqsofttest.auth0.com/.well-known/openid-configuration',
client_id: 'my client id',
redirect_uri: 'http://localhost:8080/signin-oidc',
post_logout_redirect_uri: 'http://localhost:8080/logout',
response_type: 'id_token token',
scope: 'openid profile email',
revokeAccessTokenOnSignout: true,
automaticSilentRenew: true,
filterProtocolClaims: true,
loadUserInfo: true,
metadata: {
issuer: `https://sts.windows.net/${tenant}/`,
authorization_endpoint: `https://login.microsoftonline.com/${tenant}/oauth2/authorize`,
token_endpoint: `https://login.microsoftonline.com/${tenant}/oauth2/token`,
jwks_uri: 'https://login.microsoftonline.com/common/discovery/keys',
end_session_endpoint: `https://login.microsoftonline.com/${tenant}/oauth2/logout`
}
};
This example is when using AzureAD. end_session_endpoint can be also your SPA route address like ${window.location.origin}/logout but then azure ad session won't end.
You can also set metadataUrl instead of metadata. 'https://login.microsoftonline.com/YOUR_TENANT_NAME.onmicrosoft.com/.well-known/openid-configuration',
signout redirect explicitly looking at the Json property "end_session_endpoint" in your idp configuration, I do not see that endpoint in your idp configuration, and I guess, this is not something that you can override with oidc-client.js package.
Check this out on how they are retrieving the endpoint url from metadata.
https://github.com/IdentityModel/oidc-client-js/blob/dev/src/OidcClient.js#L124
I am building a cordova mobile app and trying to use the auth0 lock API. I am having trouble with the refresh token. I can retreive the refresh token in the authResult but cannot figure out how to actually refresh the id_token ( I suppose i could write the REST calsl myself )
In the v9 docs, it seems there used to be a method: https://auth0.com/docs/libraries/lock/v9/using-a-refresh-token
lock.getClient().refreshToken(refresh_token, function (err, delegationResult) {
// Get here the new JWT via delegationResult.id_token
});
However in lock v10 it seems this method doesn't exist any more: https://auth0.com/docs/libraries/lock/v10/api
Can anyone advise if there is a way to refresh the token using the lock API?
First, you need to either have included Auth0's script tag in your HTML:
<script src="https://cdn.auth0.com/js/lock/10.8/lock.min.js"></script>
Or, if you've installed from npm, you can require Auth0:
var Auth0 = require("auth0-js");
In V10, you create an instance of the Auth0 client (separate from the Auth0Lock instance) which has a function refreshToken():
var auth0 = new Auth0({clientID: YOUR_CLIENT_ID, domain: YOUR_AUTH0_DOMAIN});
...
auth0.refreshToken(refresh_token_here, (err, resp) => {
// resp: {expires_in: 36000, id_token: "id_token here", token_type: "Bearer"}
}
The same can also be achieved by using the getDelegationToken() function:
auth0.getDelegationToken({
client_id: YOUR_CLIENT_ID,
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
refresh_token: refresh_token_here,
scope: "openid",
api_type: "auth0"
}, (err, resp) => {
// resp: {expires_in: 36000, id_token: "id_token here", token_type: "Bearer"}
});