I've a requirement to integrate Auth0 in our project (Reactjs/Hapijs/MySQL). I checked the documentation and they have many examples and that is great, however, I can't find any related to how exactly do I use my existing user database.
In my application I have users and those users can have one or more projects. With the authorization that we currently use, a user logs in, I check what projects does he own and send it to the React application.
I am missing a document that explains me how to use Auth0 and still be able to check in my database what projects user owns.
My idea on how that should work (I might be wrong):
User sends username and password to our server
Our server makes request to Auth0 (with provided credentials)
Auth0 replies back to our server with some token
We look in users table in our database and try to verify the existence of that user
If it is a match then we simply look (as we already do) for user projects.
Is this how it is supposed to work?
There are a few options available for scenarios where you want to integrate Auth0 with applications that already have existing user databases. You can either:
continue to use your existing store
progressively migrate your users from your custom store to the Auth0 store
You don't mention it explicitly, but judging from your expected flow it seems you would be wanting to implement the first option. There is specific documentation that you can follow that explain how you can setup your custom database connection, see Authenticate Users with Username and Password using a Custom Database. It mentions MySQL, but others database servers are supported and there are many templates that will allow you to quickly setup things.
When you complete this the final flow will be the following:
Using either Auth0 authentication libraries (Lock) or your custom UI you'll ask the user for their credentials
Either Lock or your custom UI submits the credentials to Auth0 authentication API
Auth0 authentication API validates the credentials by calling scripts that execute against your custom database (these scripts were provided by you when you configured the database connection)
If the credentials are valid the Authentication API will return a token to the calling application that will have user information and proves the users is who he say he is.
The scripts you need to provide are the following, but only one is mandatory:
Login script (executed each time a user attempts to login) (mandatory)
Create user script
Verify email script
Change password script
Delete user script
The optional scripts are only required when you want to provide the associated functionality through Auth0 libraries, if only need the login to work then you can skip them. The login script, in the case of a valid user, is also where you return the profile information of the user, for example, you could in theory include their owned projects in the user profile.
Related
Context
I'm using Firebase phone authentication. and i have one mobile app for users and one web app for admin.
both users are stored in one collection.
Requirement
Now I want to validate that user is a admin when a user try to login in Web Application.
I keep data with users that "isAdmin" like this...
users:[
{
name:'John Doe',
phoneNumber:'+911234567890',
isAdmin:true
} ]
Now I want to validate every web authentication that user is an admin. otherwise i want deny the authentication,
Language: Javascript
Since the user's role is stored in a user document in a Firestore collection (named users if I correctly understand), when the user is signed-in (and therefore you have the user's uid and phone number) you should query the users Firestore collection to get his/her role (isAdmin true or false).
Then based on the role, you can either display the content of the Admin app or show an error and sign-out the user (you cannot "deny the authentication" but you can sign-out the user after he/she signs-in).
HOWEVER, the most important is to secure your database (and other Firebase backend services, if you use them) with some Security Rules based on the role. If your backend is secured, a non-authorized user who succeeds in opening or reverse-engineering your Admin frontend app can maybe see the GUI elements but cannot read and modify the corresponding data.
Since you store the role in a Firestore document, you need to use, in your Security Rules, the get() function, in order to get the contents of the user document. See the example in the doc.
Having said that, another classical approach to set up a role-based access-right strategy is to use Custom Claims, as explained by #Ashish in his answer.
One main advantage of using a Custom Claim is that the role (the claim) is contained by the ID token and therefore no additional lookup to a Firestore doc is needed to check for admin permissions.
You should note that you can only set Custom Claims from a privileged server environment by using the Firebase Admin SDK. This means via a server you own or via a Cloud Function (see this article, for example). You could also use the new dedicated "experimental" extension.
Setting the roles through a Firebase doc, as you do, is easier (just a document write or update), but you need to correctly secure the collection, in order to avoid a malicious user can modify a user doc.
Another advantage of Custom Claims is that they can be used in the Security Rules of all the services (Firestore, Cloud Storage, RTDB). With role declaration via a Firestore doc, you should note that you cannot get this role in a Cloud Storage or RTDB Security Rule (you cannot read Firestore from Security Rules of the other services).
I want to maintain an account disabled until it passes the email verification.
Problem is, as a user registers itself via createUserWithEmailAndPassword, the newly created account is ready to be used.
The only way I can avoid authentication is to check email verification flag via js in client app and deny login, but I don't want to rely on client controls, I'd prefer that firebase itselfs deny the authentication until email is verified.
Is there a way to accomplish this?
You can (and should) also check if the email is verified in the back-end, either:
in security rules, if you're using Firestore, Realtime Database, or Storage
in your own backend code, using a Firebase Admin SDK
When you do this, the client-side check is nothing more than a way to show the correct UI for the current state ("hey there, your email isn't verified yet. Check your inbox, or click here to resend the email"). It's the server-side check that controls access to the data, which is precisely how you want it to be.
This has been covered quite regularly before, so also see:
the Firebase documentation on implementing role-based access control on Firestore
How do I lock down Firebase Database to any user from a specific (email) domain? (for Realtime Database)
Only let pre-verified users log into Firebase
I am trying to use a 6 digit code to log-in a user.
The code is available for 20 seconds and is unique to every user.
Briefly explained:
User is already logged in on a mobile app
User press the button "Get Unique Code"
Then, user enter the code on a WebPage on his PC
If the code is correct, show data for that user
What am I asking is if there is way to properly authenticate the user who introduces that code correctly given that I have the userID and all the informations about the user?
I can try and "fake log-in" (display all the information for that user when the code is correct) but there are some issues with this and I would like to avoid it.
I am using Firebase Authentication and Firebase Firestore. JavaScript is used for Web.
You can implement any authentication scheme you want by creating a custom provider for Firebase Authentication.
See Authenticate with Firebase in JavaScript Using a Custom Authentication System and Creating Custom Tokens with the Admin SDK.
In this flow you:
Sign in the users yourself.
Create a custom token for those users in a trusted environment, such as a server you control, or Cloud Functions.
Pass that custom token to Firebase Authentication, which can then use it to identify the user, and secure access to Firestore, Storage, and Realtime Database.
I'm newbie to Facebook Graph API and Facebook JavaScript SDK but I'd like to know some things:
Is there any way to put my Access Token in a Open Source application without actually showing it? I'm using GitHub and for security purposes I'd like to make it private.
Can I show my user information without asking the users to Authenticate themselves?
Where in Facebook Developers App can I allow more "scopes" to share publicly? For example, user_photos, user_posts, user_likes, user_status, etc...
These "scopes" that Facebook allows by default are actually the information I'm getting from the user while I'm Authenticating them right?
Just to clarify what I'm trying to do, I want to share things about my Facebook Account through the Facebook Graph API in the gh-pages branch on GitHub, but I don't like the idea of having to authenticate every single user that has access to the page.
I'd like to make my user information public, but don't want to show my access token, because it's Open Source and it can get dangerous eventually.
If you'd like to see my repository and have a better understanding of the project. You can access https://github.com/iszwnc/rye
If I recap:
you don't want to share your app access token (good!),
you don't want your users to authenticate.
Basically, you can't hide your token and let your users query Facebook directly. You need some server-side code on a machine that would be the only one reaching Facebook. Your server would play the role of an interface between Facebook and your users. So you will have to:
do the API calls from a server using server-side code (i.e. Node.js),
save the information you want in a database. This is optional but better to avoid the same information to be retrieved multiple times, thus avoiding your future 100 users to (voluntarily or not) reach your app API limit.
let the users query your server using some client-side code (i.e. AngularJS) in order to retrieve what you and only you know (remember, you own the token).
About Github, don't share your token on it. People can generate their own token if they want to run your app. Here are several suggestions:
Add your token to an environment variable which you can set just before launching the app (don't forget to mention that in your README),
Add your token to a file:
Create a credentials.js file that contains an empty token:
// Please use your own token
var APP_TOKEN = '';
Commit the file to Github,
Have a .gitignore file that contains the credentials.js,
var APP_TOKEN = 'now-you-can-put-your-token-here';
Good luck with your project, it looks exciting :-)
I have been building a mobile-web-app in HTML5/JQuery and as part of this app I need to require users to log in to Moodle on the app.
Unfortunately I have no idea how to do this.
I'm not sure if I can create a log in form on my App that will check User details with moodle, or if I need to redirect to moodle and get a response from there.
There are a lot of vague, confusing questions about this, so I'm going to be as clear as I can about what the app should do.
user opens App A
App A asks the user to use their moodle details to log in
Moodle tells App if log in was successful
App A either displays an error, or allows user access to the app.
If somebody could help me out here I would really appreciate it.
You can use moodle auth plugins for enabling SSO.
If you are hosting moodle on the same domain, cookies can be shared between App A and moodle and you can use the shared cookies while validating in moodle auth plugin.
And if domains are different, you would need to pass cookie (e.g. sess_uuid) in query parameter and grep it in your auth plugin and use it to validate against App A database (may be using REST call) and if cookies is valid, you can lookup for the user (identified by details provided in cookie validation call) in moodle. If user exists in moodle, you just need to set the global variable $user in the plugin and if user is not present in moodle, depending on you requirement, you can either create new user or do not set user in the plugin which would eventually cause login error.