===== Auth0 =====
Integrating of Cognito with Auth0
https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps
Secure AWS API Gateway Endpoints Using Custom Authorizers \\
https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers
https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers#how-api-gateway-custom-authorizers-work \\
You can use the custom authorizer to implement different types of authorization strategies, including JWT verification, to **return IAM policies authorizing the request**. If the policy returned is invalid or if the permissions are denied, the API call fails.
For a valid policy, API caches the returned policy, associating it with the incoming token and using it for the current and subsequent requests. You can configure the amount of time for which the policy is cached. The default value is 300 seconds, and the maximum length of **caching** is **3600 seconds** (you can also set the value to 0 to disable caching).
How to Set Up AWS for Delegated Authentication: \\
https://auth0.com/docs/aws-api-setup
API authorization \\
https://auth0.com/docs/api-auth
Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway \\
https://aws.amazon.com/blogs/compute/secure-api-access-with-amazon-cognito-federated-identities-amazon-cognito-user-pools-and-amazon-api-gateway/
Call APIs from Highly Trusted Applications \\
https://auth0.com/docs/api-auth/grant/password
Amazon API Gateway Tutorial Introduction \\
https://auth0.com/docs/integrations/aws-api-gateway/delegation
Configure IAM and Auth0 for SAML Integration with the API Gateway \\
https://auth0.com/docs/integrations/aws-api-gateway/delegation/part-2#1-configure-iam-and-auth0-for-saml-integration-with-the-api-gateway
Secure AWS API Gateway Endpoints Using Custom Authorizers \\
https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers
===== Auth0 Access Token Format =====
https://auth0.com/docs/protocols/oauth2
By default, Auth0 generates **Access Tokens, for API Authorization scenarios**, in JSON Web Token (JWT) format. JWTs contain three parts: a header, a payload, and a signature:
* The header contains **metadata about the type of token** and the cryptographic algorithms used to secure its contents.
* The **payload contains a set of claims, which are statements about the permissions** that should be allowed, and other information like the intended audience and the expiration time.
* The **signature** is used to validate that the token is trustworthy and has not been tampered with.
===== Scopes =====
The **permissions** represented by the Access Token, in OAuth 2.0 terms are known as scopes.
When an **application authenticates with Auth0**, it **specifies the scopes** it wants.
If those **scopes are authorized by the user**, then the Access Token will represent these authorized scopes.
===== Authorization Grant Types =====
https://auth0.com/docs/protocols/oauth2#authorization-grant-types
|**Authorization Code** (Regular Web App Login Flow)|Regular Web Apps are here the web apps, having client/server components. Used by Web Apps executing on a server too, not only in browser. \\ \\ The end user owns the resource. Here the authorization token is stored on the server, bypassing the users browser. \\ \\ **The authorization code + clientID + Client Secret (client is here the backend alias server) are used for authentication. They are exchanged for the access (bearer) token. \\ Everything happens on the backend side here.**|
|**Implicit** (Single-Page Login Flow) |used by JavaScript-centric apps (Single Page Applications) executing on the user's browser. The end user owns the resource. **The access (bearer) token is used for authentication, stored in the browser.** |
|**Resource Owner Password Credentials**| Used by trusted apps. The end user still owns the resource. **End users username/password in plain text are used for authentication.**|
|**Client Credentials** (Machine to machine)|used for machine to machine communication, when the client (like cron job) owns is the resource. **The ClientID / Client Secret are used for authentication.** |
Choosing the grant flow:
https://auth0.com/docs/api-auth/which-oauth-flow-to-use
{{https://lh3.googleusercontent.com/-L-Rwak0PIxs/XBpv-LEt4dI/AAAAAAAABpw/fqnYQfxv0X0c_XTNcQGV2OSp_DE3DjoJwCHMYCw/s0/2018-12-19_17-21-10.png}}
===== ID Token =====
|Token audience|The aud claim identifies the recipients that the JWT is intended for. The value must match the Client ID of your Auth0 Application.|
===== Auth0 Applications =====
An Auth0 Application represents your application in Auth0. You first need to define the Application in Auth0 to then be able to add authentication to it.
Your application can be
* a **native app** that executes on a **mobile** device,
* a **single page** app that executes **on a browser**, or
* a **regular web app** that executes **on a server**.
* a **Machine to Machine** Applications: Used for **server to server applications like command-line tools**, daemons, IoT devices, or services running on your backend. Typically you would use this option if you have a service that requires access to an API.
The key point is that applications are primarily meant for human interaction,
as opposed to APIs,
which provide data to applications through a standardized messaging system.
The Auth0 Application - has a Client ID
===== Auth0 API =====
Its just the way of Auth0 to maintain the **audience** https://curity.io/resources/architect/claims/scopes-vs-claims/
and the expiration of tokens, given to reach out for the audience.
===== Examples =====
Lambdas and react
https://auth0.com/blog/building-serverless-apps-with-aws-lambda/
Single page app
https://auth0.com/docs/sso/current/single-page-apps
https://github.com/auth0-samples/oidc-sso-sample
===== AWS Cognito integration with Auth0 =====
=== Auth0 - create a Single page application ===
Create the Single page application, as described in here:
https://auth0.com/docs/applications/spa
* remember the **clientId**
* remember the **domain**
{{https://lh3.googleusercontent.com/-pQSdy65sui0/XBzgVg39dvI/AAAAAAAABqk/ShvV2GmtG6U5MYlw-WNv7oMHwtaxcZG8ACHMYCw/s0/2018-12-21_13-45-09.png}}
=== AWS IAM - add Auth0 as an Open ID Connect identity provider ===
^Auth0 application attribute ^ maps to^
|Auth0 **clientId**|AWS IAM **Audience**|
|Auth0 **domain** (dev.auth0.com)|AWS IAM** Provider URL**|
Follow Tutorial: https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps
* When adding the provider URL - **Prepend by https://. Dont add the backslash at the end.**
{{https://lh3.googleusercontent.com/-P1326hrXBHA/XBzdMLFDE_I/AAAAAAAABqA/jQ5m0BAkd-grhZYx5zP_mC0W4dG73M6nQCHMYCw/s0/2018-12-21_13-31-42.png}}
{{https://lh3.googleusercontent.com/-TlQpWrzL5PA/XBzdkGtbxVI/AAAAAAAABqI/Xt_WDuIhwSA1kn9GScLPDXZ8qMouP4M1gCHMYCw/s0/2018-12-21_13-33-19.png}}
=== AWS Cognito - create an identity pool ====
Follow Tutorial: https://auth0.com/docs/integrations/integrating-auth0-amazon-cognito-mobile-apps#create-a-cognito-identity-pool
{{https://lh3.googleusercontent.com/-9YV1GM45IUI/XBzhxedKfxI/AAAAAAAABqw/uinfB1b6X4IH3JdyosyMgvnw7HK8nL6qgCHMYCw/s0/2018-12-21_13-51-16.png}}
=== Auth0 - generate the identity token ====
Go to your Auth0 single page application.
Download a "Quick Start" JavaScript-app.
{{https://lh3.googleusercontent.com/-GKPQr4Je92I/XBzi1zpXSFI/AAAAAAAABq4/tJEydGoZUF8pQxa21Yy36Bsq6gJ1zCOWgCHMYCw/s0/2018-12-21_13-55-50.png}}
{{https://lh3.googleusercontent.com/-nLIH2607GwQ/XBzjSn5WCGI/AAAAAAAABrA/lTch5UDK_iEm1Ftqj40BXVXWvkUTLJKBgCHMYCw/s0/2018-12-21_13-57-45.png}}
The auth0-variables like **AUTH0_CLIENT_ID** and **AUTH0_DOMAIN** will already be set, according to your auth0-applicaitons values. See the file **auth0-variables.js** of your Quick Start JavaScript-app.
Use the debug point in browser to find out the **identity token**.
{{https://lh3.googleusercontent.com/-DOMDr9QQTXI/XBzkO_NK4GI/AAAAAAAABrM/F1RdzeN1glUm7H8jIp5_JOfh3-BsJjRIACHMYCw/s0/2018-12-21_14-01-46.png}}
* remember the **identity token**, you retrieved from auth0
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1ESXpNVFE1UWpSRk5VTkNSa0kxT0RkRk1FUTJPVUUzUTBORU16STNPRGd6UXpsQ05EQTNOZyJ9.eyJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtYnQtMDA4LmV1LmF1dGgwLmNvbS8iLCJzddIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFow3333QkFQIiwiYXVkIkoiSTdRaU04c2p6dk1zUERHbnNRMnJKdVN5MVRGQ2V0NGkiLCJpYXQiOjE1NDUzODY3OTUsImV4cCI6MTU0NTQyMjc5NSwiYXRfaGFzaCI6ImpUWGlPcGktbzM2SDhNTzk3a1FzdEEiLCJub25jZSI6IXBVZWNQVDZoNUFPRXE0cXljRlIwQUtiIn0.pv41yqbOH0xSFClQYssVZ4PTriFzVYLXxaCaWhxrDnuiUyFZOCyGJA9NqeOHigFJX2LkvYkddF4piYyAHMjIae8759jh3PQvqo11Eqb52AuRcx52N89zINxp6woMIIQpaAT72ln9qof_E9Im24WKiD9F0VhexMo2zouRoMJIDyTOa5B_ieln2FIIqLBP-RdEYtKUOBwvnwf4fJlgjn2DnJstrkIypN8xQ1P0b9uUtn-KYRaS3vEpll27gLPVTEVZgPcGCDrcg3fNU9f5MjT9-kEAeENGkmS1OoIF1Q0zf_fhltnB38ScLGCQnipOZQXzvvpnISAoQ45ane-eYCWnQ
=== AWS Cognito - use the token in a JavaScript application ====
Follow tutorial: https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/getting-started-browser.html
Use the identity token from auth0, to generate the "AWS.CognitoIdentityCredentials" object, using the AWS JavaScript SDK.
Here is the example of retrieving the AWS.CognitoIdentityCredentials by using a concrete identity token.
// Using a concrete token - alternative to the anonymous access
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-west-1:411f0dd3-8b7f-4328-a283-50caebd2de1c',
Logins: {
'dev.auth0.com': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1ESXpNVFE1UWpSRk5VTkNSa0kxT0RkRk1FUTJPVUUzUTBORU16STNPRGd6UXpsQ05EQTNOZyJ9.eyJpc3MiOiJodHRwczovL3NpZW1lbnMtcWEtYnQtMDA4LmV1LmF1dGgwLmNvbS8iLCJzddIiOiJvYXV0aDJ8bWFpbi10ZW5hbnQtb2lkY3xzYW1scHxTaWVtZW5zfFow3333QkFQIiwiYXVkIkoiSTdRaU04c2p6dk1zUERHbnNRMnJKdVN5MVRGQ2V0NGkiLCJpYXQiOjE1NDUzODY3OTUsImV4cCI6MTU0NTQyMjc5NSwiYXRfaGFzaCI6ImpUWGlPcGktbzM2SDhNTzk3a1FzdEEiLCJub25jZSI6IXBVZWNQVDZoNUFPRXE0cXljRlIwQUtiIn0.pv41yqbOH0xSFClQYssVZ4PTriFzVYLXxaCaWhxrDnuiUyFZOCyGJA9NqeOHigFJX2LkvYkddF4piYyAHMjIae8759jh3PQvqo11Eqb52AuRcx52N89zINxp6woMIIQpaAT72ln9qof_E9Im24WKiD9F0VhexMo2zouRoMJIDyTOa5B_ieln2FIIqLBP-RdEYtKUOBwvnwf4fJlgjn2DnJstrkIypN8xQ1P0b9uUtn-KYRaS3vEpll27gLPVTEVZgPcGCDrcg3fNU9f5MjT9-kEAeENGkmS1OoIF1Q0zf_fhltnB38ScLGCQnipOZQXzvvpnISAoQ45ane-eYCWnQ'
}
});
The Demo application which is
* using Auth0 authentication
* accessing AWS services
is hosted here https://github.com/skipidar/awsViaAuth0.npm