djangorestframework-auth0 icon indicating copy to clipboard operation
djangorestframework-auth0 copied to clipboard
verified publisher icon mcueto

Auth0 Authentication Extension

Open snake575 opened this issue 8 years ago • 8 comments

I was testing the extension and found that roles, groups and permissions are not necessarily included on app_metadata.

If one selects the fields on the Token Contents section, then they are included like this:

{ sub: '', iss: '', ... , roles: [], groups: [], permissions: [], }

if one selects the fields on the Persistence section, then they are included like this:

{ sub: '', iss: '', ... , app_metadata: { authorization: { roles: [], groups: [], permissions: [], }, } }

On both cases, it's important to note the one must include roles, groups, permissions or app_metadata on the token's scope on the client app, otherwise none of them are included on the token.

snake575 avatar Feb 28 '17 20:02 snake575

this is why i "standarized" it with the AUTHORIZATION_EXTENSION setting.

the recommended(and mostly easy to use IMHO) way is to simply enable the authorization extension in auth0 and use it in our apps.

HOWEVER: i will add a disclaimer to notice what scopes are needed in order to use this app.

If this answer is enough to you, please let me know to close this issue

mcueto avatar Feb 28 '17 20:02 mcueto

Which one is the default one? Token Contents is the first one on the screen, but I think both are disabled in the beginning. We could add another setting to specify if Token Contents or Persistence is in use on the extension.

snake575 avatar Feb 28 '17 20:02 snake575

hi @Snake575, it seems to be that the extension has changed a little bit/a lot since version 1(i'm assuming that you're using version 2), so i believe that we must support both version 1 and 2 of the extension(i promise work on it in the following weeks)

¿what version of the extension are you using?

screenshot-manage auth0 com 2017-02-28 23-26-17

mcueto avatar Mar 01 '17 02:03 mcueto

I didn't notice there are 2 versions... I'm on 2.1!

snake575 avatar Mar 01 '17 05:03 snake575

Can you post screenshots of the configs used in your version please!

mcueto avatar Mar 02 '17 20:03 mcueto

I did some extra testing... turns out that enabling Token Contents allows the following:

With Auth0-Lock options config:

{
  auth: {
    params: { scope: 'openid roles groups permissions' }
  }
}

Extension config:

image

Token payload:

{
  "groups": [],
  "permissions": [],
  "roles": [],
  "iss": "...",
  "sub": "...",
  "aud": "...",
  "exp": ...,
  "iat": ...
}

On the other hand, Persistence says it persist the extension data on user profile's app_metadata. However in my test the extension auth data is always present on the profile, regardless if the persistence fields are activated or not.

image

User's profile:

{
  ...
  "app_metadata": {
    "authorization": {
      "groups": [],
      "roles": [],
      "permissions": []
    }
  },
  "authorization": {
    "groups": [],
    "roles": [],
    "permissions": []
  },
  ...
}

snake575 avatar Mar 03 '17 02:03 snake575

I'll create another app with authorization 2.x to think how to manage this problem and have an update this week!!!!

mcueto avatar Mar 13 '17 18:03 mcueto

I bet you noticed that i didn't solve this, in the following 2 weeks i will solve this issue

Stay tuned

mcueto avatar Jul 14 '17 19:07 mcueto