Feature Request: Auth0 login #1722

xet7 · 2018-06-22T21:06:51Z

xet7 · 2018-08-29T17:52:32Z

Done already. https://github.com/wekan/wekan/wiki/OAuth2#auth0

xet7 · 2018-09-27T17:32:42Z

Status

Currently I still am figuring how to get single login working with Auth0, with Wekan+Rocket.Chat+WordPress+PHP script behind it. It would be helpful if there are others trying to this too, and would help with SSO cookies etc.

Current settings I use are at https://github.com/wekan/wekan/wiki/OAuth2#auth0

It is possible to use Auth0 with Wekan OAuth2, but OAuth2 has bug that it logins always as first Admin user. After that is fixed, next step would be to get single login working, so that after Auth0 login (like linkedin/google/etc) user is logged into all apps including Wekan, without needing to click Wekan Oidc button or Rocket.Chat login button.

Some links to Auth0 docs I got from support

How do I enable SSO, so that when someone logins at https://example.com/login , then it logins to all 3 apps at once?

For SSO best option is to implement universal login page. The universal login approach will store a session cookie on your tenant's domain for the user logging in.

For the Wordpress app, you can configure universal login from the Wordpress plugin's advance settings with the Auto Login option.

For PHP app, our reference applications can be useful.

https://rocket.chat chat software, that is made with Meteor, chat software similar to Slack , installed to https://chat.example.com , configured with OAuth2 to have Auth0 login. (It also has SAML if needed).

I guess you already implemented the login with OAuth2 for Rocket chat. I assume it should be with using the universal login page. If you can share a HAR file for it, I can have a better idea. You can find how to capture the HAR file here.

To have a better idea of how SSO works with Auth0, you may also check our sample here.

Do you have ideas how do I find logout url to Rocket.Chat ? It could be possible to logout with Rocket.Chat API https://rocket.chat/docs/developer-guides/rest-api/ , but I don't know how to get Auth0 to call it.

Auth0 logout endpoint is meant only to end the session for the shared session cookie. It is the app's responsibility to clear any sessions/cookies of their own. So in your case, you first need to call the rocket API to logout from the app itself and then redirect to the Auth0 logout endpoint to clear the SSO session managed by Auth0.

At Wekan REST API there is login https://github.com/wekan/wekan/wiki/REST-API#summary but not logout yet, so I maybe need to add logout url for Wekan?

This is beyond our control. As in the previous case, you need to clear any session for wekan from the app itself and then redirect to Auth0's logout endpoint.

How do I maintain logged in status in WP+Rocket.Chat+Wekan+PHP script so that when logout is done on some app, then it does logout of all apps, and goes to specified URL ?

Currently, we don't support backchannel logout. Which means that, if a user logs out from one app using the logout endpoint, we clear the shared session cookie for all; however, there isn't a mechanism to send a message to the apps opened in the other tabs of the browser.

But when the other apps try to refresh their session with the silent authentication, Auth0 will reply with the login required prompt and won't send new access/id tokens.

xet7 · 2018-10-03T19:50:49Z

It seems that Auth0 has only experimental support for LDAP, and OAuth2 still has bug. But probably LDAP, OAuth2 etc is not needed at all.

Next I will try Auth0.js mentioned at universal login page.

I would think that Auth0.js code should work like this:

Check is there WP Auth0 SSO cookie, when user comes to Wekan or Rocket.Chat login page
Check does user exist in Wekan or Rocket.Chat
If user exists, login automatically.
If user does not exist, redirect to https://example.com/login

I would think that 4) would work at webbrowser, and on mobile Rocket.Chat uses some mobile API so redirect would not prevent it from logging in with username and password. I have not tried it yet.

xet7 · 2019-02-12T19:42:37Z

Related trying to get Auth0 working on OIDC issue

@danpatdav

Thanks for your trying to help. Some more info that I have looked a little:

Old 2016 repo about some Auth0 Meteor login code:
https://github.com/prospa-group-oss/meteor-accounts-auth0
2019 forum post. There was Meteor example about Auth0 login, but when Auth0 was notified about security issue in it, they did not fix it, and took repo down. I don't understand why, because Auth0 has fixed other code examples.
https://forums.meteor.com/t/migrating-auth-from-meteor-to-auth0-roadblocks/32778/5
How login to get Profile info and get picture info with just Javascript on browserside:
https://github.com/auth0-samples/auth0-javascript-samples/tree/master/02-User-Profile
OIDC SSO sample. If there are many apps, and some is already logged in, silently login to other app too:
https://github.com/auth0-samples/oidc-sso-sample
Meteor JWT sample. I did send PR to fix some bug in it, but I don't know does it actually login to Auth0, it seems to create new account to local database.
https://github.com/auth0-blog/meteor-app
Meteor Auth0 lock. I did send PR to upgrade it to Meteor 1.8.0.2, it's now accepted.
https://github.com/xcv58/meteor-auth0
But it looks like it does not support passwordless email code login that I'm trying to use.

xet7 · 2019-02-12T20:00:44Z

@danpatdav

I did add info to wiki with what settings currently Auth0 passwordless email code login works to login to RocketChat:

https://github.com/wekan/wekan/wiki/OAuth2#4-auth0-id-provider-to-custom-oauth-rocketchat

xet7 · 2019-02-25T13:19:01Z

@danpatdav @salleman33

With these settings at Auth0, using Wekan v2.25 devel branch:

        export DEBUG=true
        export OAUTH2_ENABLED=true
        export OAUTH2_CLIENT_ID=12345                           
        export OAUTH2_SECRET=54321                                                           
        export OAUTH2_SERVER_URL=https://example.eu.auth0.com
        export OAUTH2_AUTH_ENDPOINT=/authorize
        export OAUTH2_USERINFO_ENDPOINT=/userinfo
        export OAUTH2_TOKEN_ENDPOINT=/oauth/token
        export OAUTH2_ID_MAP=sub
        export OAUTH2_USERNAME_MAP=email
        export OAUTH2_FULLNAME_MAP=name
        export OAUTH2_EMAIL_MAP=email

I get this debug response:

XXX: userinfo: { sub: 'google-oauth2|12345678',
  given_name: 'Joe',
  family_name: 'Jackson',
  nickname: 'x',
  name: 'Joe Jackson',
  picture: 'https://lh5.googleusercontent.com/..../photo.jpg',
  gender: 'male',
  locale: 'fi',
  updated_at: '2019-02-25T12:49:26.768Z',
  email: 'joe@example.org',
  email_verified: true }
{"line":"431","file":"oauth.js","message":"Error in OAuth Server: Cannot use 'in' operator to search for 'null' in null","time":{"$date":1551098967397},"level":"warn"}
Exception while invoking method 'login' { stack: 'TypeError: Cannot use \'in\' operator to search for \'null\' in null\n    at packages/underscore.js:894:15\n    at Array.forEach (<anonymous>)\n    at _.each._.forEach (packages/underscore.js:139:11)\n    at Function._.pick (packages/underscore.js:893:5)\n    at Object.handleOauthRequest (packages/salleman_oidc.js:48:20)\n    at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31)\n    at middleware (packages/oauth.js:203:5)\n    at packages/oauth.js:176:5',
  source: 'method' }

So in Auth0 Logs it looks like that login to Auth0 did work, and required info is at above response I think, but login to Wekan does not work with OIDC button.

Can you help please?

This maybe makes [Auth0 login possible](#1722) with OIDC. Thanks to GitHub user xet7.

xet7 · 2019-02-25T18:19:01Z

I think I figured it out. I'll test.

xet7 · 2019-02-25T21:57:13Z

Does not work yet.

danpatdav · 2019-02-25T22:02:03Z

The OAUTH2_ID_MAP should not be ‘sub’. Try using ‘email’ instead.

xet7 · 2019-02-25T23:13:50Z

xet7 commented

Feb 25, 2019

@danpatdav

@danpatdav

When I try email, it does not login, there is this error:

2019-02-25T20:59:29Z wekan.wekan[23091]: {"line":"431","file":"oauth.js","message":"Error in OAuth Server: access_denied","time":{"$date":1551128369645},"level":"warn"}

I have tried various request permissions but for example these does not work:

sudo snap set wekan oauth2-request-permissions="['openid', 'profile', 'email']"
sudo snap set wekan oauth2-request-permissions=''

At browser console I get this error:

TypeError: a.join is not a function[Learn More]
53b6ec85e8562ee652a77f1899731fca891273e3.js:175:1783

That code is part of this OAuth2 code:

!function(){var e=Package.meteor.Meteor,o=Package.meteor.global,i=Package.meteor.meteorEnv,n=Package.oauth.OAuth,r=Package.oauth.Oauth,t=Package.underscore._,a=Package["templating-runtime"].Template,c=Package.random.Random,l=Package["service-configuration"].ServiceConfiguration,p=Package.blaze.Blaze,u=Package.blaze.UI,s=Package.blaze.Handlebars,d=Package.spacebars.Spacebars,g=Package.htmljs.HTML,f;(function(){a.__checkName("configureLoginServiceDialogForOidc"),a.configureLoginServiceDialogForOidc=new a("Template.configureLoginServiceDialogForOidc",function(){var e=this;return g.P("\n    You'll need to create an OpenID Connect client configuration with your provider.\n    Set App Callbacks URLs to: ",g.SPAN({class:"url"},p.View("lookup:siteUrl",function(){return d.mustache(e.lookup("siteUrl"))}),"_oauth/oidc"),"\n  ")})}).call(this),function(){a.configureLoginServiceDialogForOidc.helpers({siteUrl:function(){return e.absoluteUrl()}}),a.configureLoginServiceDialogForOidc.fields=function(){return[{property:"clientId",label:"Client ID"},{property:"secret",label:"Client Secret"},{property:"serverUrl",label:"OIDC Server URL"},{property:"authorizationEndpoint",label:"Authorization Endpoint"},{property:"tokenEndpoint",label:"Token Endpoint"},{property:"userinfoEndpoint",label:"Userinfo Endpoint"},{property:"idTokenWhitelistFields",label:"Id Token Fields"}]}}.call(this),function(){(f={}).requestCredential=function(e,o){o||"function"!=typeof e||(o=e,e={});var i=l.configurations.findOne({service:"oidc"});if(i){var r=c.secret(),t=n._loginStyle("oidc",i,e),a=i.requestPermissions||["openid","profile","email"];(e=e||{}).client_id=i.clientId,e.response_type=e.response_type||"code",e.redirect_uri=n._redirectUri("oidc",i),e.state=n._stateParam(t,r,e.redirectUrl),e.scope=a.join(" "),i.loginStyle&&"popup"==i.loginStyle&&(e.display="popup");var p=i.serverUrl+i.authorizationEndpoint,u=-1===p.indexOf("?");for(var s in e)u?(p+="?",u=!1):p+="&",p+=encodeURIComponent(s)+"="+encodeURIComponent(e[s]);e.popupOptions=e.popupOptions||{};var d={width:e.popupOptions.width||320,height:e.popupOptions.height||450};n.launchLogin({loginService:"oidc",loginStyle:t,loginUrl:p,credentialRequestCompleteCallback:o,credentialToken:r,popupOptions:d})}else o&&o(new l.ConfigError("Service oidc not configured."))}}.call(this),"undefined"==typeof Package&&(Package={}),function(e,o){for(var i in o)i in e||(e[i]=o[i])}(Package["salleman:oidc"]={},{Oidc:f})}();

I'm trying to get it working with this config, but it does not work yet:
https://github.com/wekan/wekan/wiki/OAuth2#auth0

configurable OAUTH2_ID_TOKEN_WHITELIST_FIELDS and OAUTH2_REQUEST_PERMISSIONS from Wekan v2.22-2.26. Thanks to xet7 ! Closes #2206, Related #1874, Related #1722

xet7 · 2019-02-27T06:58:18Z

Now Auth0 login works. https://github.com/wekan/wekan/wiki/OAuth2#auth0

xet7 added this to the PRFN2018-07-31 milestone Jun 22, 2018

xet7 added the Feature:User-accounts:Auth0 label Jun 22, 2018

xet7 closed this as completed Aug 29, 2018

xet7 reopened this Sep 27, 2018

xet7 mentioned this issue Sep 27, 2018

LDAP Integration #119

Closed

xet7 mentioned this issue Dec 5, 2018

Feature request: NTLM/Kerberos #1979

Closed

xet7 modified the milestones: 2018-07-31 P+R+N+G+FR+FV, 2019-01-31 Import/Export, 2019-02-28 Import/Export bugs, 2019-01-31 Auth Jan 11, 2019

xet7 mentioned this issue Jan 31, 2019

Bugs: OAuth2 can not be disabled (was: OAuth2 maps only to the account "admin") #1874

Closed

xet7 closed this as completed in 5e238bf Feb 25, 2019

xet7 added a commit that referenced this issue Feb 25, 2019

- [Fix OAuth2 requestPermissions](5e238bf).

b751fd1

This maybe makes [Auth0 login possible](#1722) with OIDC. Thanks to GitHub user xet7.

xet7 reopened this Feb 25, 2019

xet7 added a commit that referenced this issue Feb 27, 2019

- Fix OIDC error "a.join is not a function" b reverting

05351c0

configurable OAUTH2_ID_TOKEN_WHITELIST_FIELDS and OAUTH2_REQUEST_PERMISSIONS from Wekan v2.22-2.26. Thanks to xet7 ! Closes #2206, Related #1874, Related #1722

xet7 closed this as completed Feb 27, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Feature Request: Auth0 login #1722

Feature Request: Auth0 login #1722

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Feature Request: Auth0 login #1722

Feature Request: Auth0 login #1722

Comments

Uh oh!

Status

Some links to Auth0 docs I got from support

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!