Identity Integration with Auth0, Part 2 – Rules and Applications

October 16, 2019   //   Cloud Security, , ,

In Part 1 of this Auth0 series, you went over the basics of creating a tenant, adding some users, and hooking into common social providers for identity federation. Here in Part 2, we’ll extend that paradigm by introducing a few other capabilities that Auth0 offers, to give you an even better idea of what’s possible.

Without further ado, let’s dive right in.

Create First Rule

You have the ability to create various rules to enforce access controls. For example, you can edit the whitelist from/to only allow certain domains:

Reference the Rule docs.

There are a number of templates to choose from right out of the gate, including whitelisting certain apps, requiring certain AD group memberships, adding attributes to user profiles, and so forth.

It even provides a handy interface to test these rules, so you can view the coded details of the output, which helps with quick troubleshooting. It looks like this:

For example, try logging in with an account that is not on the whitelist – it should be blocked! You may need to flush browser cache cookies in order for the test to work. Or better yet, use InPrivate browsing for more accurate results.

As a second test, use an account that is allowed. It should be confirmed working when you get data back.

In the Latest Logins dashboard, you can see the history of the various auth methods used by these two accounts, each of which are provided by different IDPs (Azure AD, Google, and so on). Thus, you have full insight into user activity telemetry at a glance.

 

Integrate Applications

The goal of the last part of this introductory tutorial is to get you started with integrating apps into Auth0. This is where developers need to step in to link the Auth0 API code into your organization’s software stack, so break out your favorite code editor. We’ll use Visual Studio 2019 here. Auth0 provides plenty of samples in various programming languages that offer deeper insight on how the API works, which you can leverage to jump-start your own projects. For some places to get into this, take a look at the following links.

Auth0 Authentication API Webhooks and Management API Webhooks (Extension).

Repo Example: https://github.com/auth0/auth0-management-api-webhooks

Head over to the dashboard and create your first application in the programming language of your choice. Here, we’ll choose ASP.NET.

It will take you to a boilerplate starter application. If you download it from within the Auth0 portal, it will populate for you the JSON that contains the tenant metadata and shared secret for your app. Or you can get an agnostic version at the public GitHub repo:
https://github.com/auth0-samples/auth0-aspnetcore-mvc-samples/tree/master/Samples/custom-login

The main things you’ll need to do is define a callback URL, and then compile the application.

Examine the properties of your new app, both in the Auth0 portal and in your local code editor. What’s there should match what’s in the JSON file; if not, edit the values. If you know the DNS name of the app, you can add that as the proper URL, otherwise it’ll default to allow any “localhost” name or IP address.

Provide the allowed callback URLs in the Auth0 portal. If you don’t do this, the app will throw an error. This is the minimal amount of information required to get it up and running, although there are plenty of supplemental options that’ll need consideration later on, such as OAuth, federation, metadata, certificates, and endpoints.

Don’t forget to save your changes – it’s all the way at the bottom!

Build the solution and test by running the SampleMvcApp in IIS Express (or whatever development environment you’re using). Viola – it launches with debug output!

In the browser, there’s a Login button at the far right, pointing to http://localhost:3000/Account/Login

If all goes well, you’ll authenticate your test user account against Auth0 and grant them access to your app. It looks rather sparse at this point, but at least you’re on your way. You can copy and paste working parts of the code into a larger application as needed.

All tutorials are now complete! Next, you’ll need to continue exploring the code details and making modifications to the application.

Wrapping Up

Many samples will work right out-of-the-box, which gets you a feel for how the API behaves and ways you can leverage it. But at this point, to take it to the next level you’ll need to get a number of outside elements together in order to make your application gel with your existing infrastructure. This includes things such as creating DNS records, publishing web servers, managing source code, and deploying it into the cloud in an automated and repeatable manner. Microservices such as Docker Containers hosted on the Azure Platform can enable rapid onboarding of such solutions. Codebase management can be facilitated via Azure DevOps by leveraging its Pipelines enables Continuous Integration with Continuous Deployment capabilities. Frameworks such as these are a natural fit with a comprehensive Auth0 solution.

There is still much more to do in terms of fully leveraging Auth0, but hopefully by this point you can see the value such a service provides in terms of standardizing authentication providers and managing them in a consistent manner. If you want to discuss your identity management framework in greater detail, SWC Technology Partners has a team of well-versed engineers that can provide expert guidance and support for all your on-premises and in-cloud Information Technology platforms.