Secure an app with Auth0
Download Otoroshi
If you already have an up and running otoroshi instance, you can skip the following instructions
Let’s start by downloading the latest Otoroshi.
curl -L -o otoroshi.jar 'https://github.com/MAIF/otoroshi/releases/download/v16.20.0-dev/otoroshi.jar'
then you can run start Otoroshi :
java -Dotoroshi.adminPassword=password -jar otoroshi.jar
Now you can log into Otoroshi at http://otoroshi.oto.tools:8080 with admin@otoroshi.io/password
Create a new route, exposed on http://myservice.oto.tools:8080
, which will forward all requests to the mirror https://request.otoroshi.io
. Each call to this service will returned the body and the headers received by the mirror.
curl -X POST 'http://otoroshi-api.oto.tools:8080/api/routes' \
-H "Content-type: application/json" \
-u admin-api-apikey-id:admin-api-apikey-secret \
-d @- <<'EOF'
{
"name": "my-service",
"frontend": {
"domains": ["myservice.oto.tools"]
},
"backend": {
"targets": [
{
"hostname": "request.otoroshi.io",
"port": 443,
"tls": true
}
]
}
}
EOF
Configure an Auth0 client
The first step of this tutorial is to setup an Auth0 application with the information of the instance of our Otoroshi.
Navigate to https://manage.auth0.com (create an account if it’s not already done).
Let’s create an application when clicking on the Applications button on the sidebar. Then click on the Create application button on the top right.
- Choose
Regular Web Applications
asApplication type
- Then set for example
otoroshi-client
asName
, and confirm the creation - Jump to the
Settings
tab - Scroll to the
Application URLs
section and add the following url asAllowed Callback URLs
:http://otoroshi.oto.tools:8080/backoffice/auth0/callback
- Set
https://otoroshi.oto.tools:8080/
asAllowed Logout URLs
- Set
https://otoroshi.oto.tools:8080
asAllowed Web Origins
- Save changes at the bottom of the page.
Once done, we have a full setup, with a client ID and secret at the top of the page, which authorizes our Otoroshi and redirects the user to the callback url when they log into Auth0.
Create an Auth0 provider module
Let’s back to Otoroshi to create an authentication module with OAuth2 / OIDC provider
as type
.
- Go ahead, and navigate to http://otoroshi.oto.tools:8080
- Click on the cog icon on the top right
- Then
Authentication configs
button - And add a new configuration when clicking on the
Add item
button - Select the
OAuth provider
in the type selector field - Then click on
Get from OIDC config
and pastehttps://<tenant-name>.<region>.auth0.com/.well-known/openid-configuration
. Replace the tenant name by the name of your tenant (displayed on the left top of auth0 page), and the region of the tenant (eu
in my case).
Once done, set the Client ID
and the Client secret
from your Auth0 application. End the configuration with http://otoroshi.oto.tools:8080/backoffice/auth0/callback
as Callback URL
.
At the bottom of the page, disable the secure
button (because we’re using http and this configuration avoid to include cookie in an HTTP Request without secure channel, typically HTTPs).
Connect to Otoroshi with Auth0 authentication
To secure Otoroshi with your Auth0 configuration, we have to register an Authentication configuration as a BackOffice Auth. configuration.
- Navigate to the danger zone (when clicking on the cog on the top right and selecting Danger zone)
- Scroll to the BackOffice auth. settings
- Select your last Authentication configuration (created in the previous section)
- Save the global configuration with the button on the top right
Testing your configuration
- Disconnect from your instance
- Then click on the Login using third-party button (or navigate to http://otoroshi.oto.tools:8080)
- Click on Login using Third-party button
- If all is configured, Otoroshi will redirect you to the auth0 server login page
- Set your account credentials
- Good works! You’re connected to Otoroshi with an Auth0 module.
Secure an app with Auth0 authentication
With the previous configuration, you can secure any of Otoroshi services with it.
The first step is to apply a little change on the previous configuration.
- Navigate to http://otoroshi.oto.tools:8080/bo/dashboard/auth-configs.
- Create a new Authentication module configuration with the same values.
- Replace the
Callback URL
field tohttp://privateapps.oto.tools:8080/privateapps/generic/callback
(we changed this value because the redirection of a connected user by a third-party server is covered by another route by Otoroshi). - Disable the
secure
button (because we’re using http and this configuration avoid to include cookie in an HTTP Request without secure channel, typically HTTPs)
Note : an Otoroshi service is called a private app when it is protected by an Authentication module.
We can set the Authentication module on your route.
- Navigate to any created route
- Search in the list of plugins the plugin named
Authentication
- Select your Authentication config inside the list
- Don’t forget to save your configuration.
- Now you can try to call your route and see the Auth0 login page appears.