Skip to content

Auth0 and Amazon setup

Jump to bottom
Josiah Ulfers edited this page Oct 16, 2020 · 14 revisions

We should change these instructions to use Terraform configuration. https://github.com/NLTGit/pagaf/issues/12

This uses Auth0 as an identity provider and federates with Amazon to store data in S3. There's a single "home bucket" and within that bucket are one subdirectory per user, the contents of which are private to that user.

The static site can be hosted from anywhere. If hosting on S3, remember that "home bucket" is not the bucket that hosts the static static site.

Parameters from this setup will be used to construct an environment-specific file, config.json, with this structure:

{
  "auth0": {
    "domain": "[...].auth0.com",
    "client_id": "...",
    "audience": "..."
  },
  "aws": {
    "farmerRoleArn": "arn:aws:iam::[...]:role/[...]",
    "homeBucket": "..."
  }
}

Auth0

In Auth0, you'll need:

  1. A tenant
  2. An application
  3. An api

When you create the api, Auth0 automatically creates a "test application," which you can delete. I'm not sure why you can't repurpose it to be the main application, but the Auth0 browser sdk doesn't seem able to use it.

Creating an api in Auth0 seems silly since its parameters are never used in the Amazon setup but, without it, auth0.getTokenSilently() returns an opaque token instead of a jwt. Maybe there's a way to avoid it.

If you're hosting at http://localhost:8000/, configure configure the application allowed urls as:

  • Callback: http://localhost:8000/home.html
  • Logout: http://localhost:8000/
  • Web origins: http://localhost:8000

If you're not hosting the static site on localhost:8000, replace it with the appropriate origin - https://pagaf.nltmso.com/, for example.

Parameters from Auth0 go in the auth0 section of config.json:

  • domain: [auth0 tenant domain]
  • client_id: [auth0 application client id]
  • audience: [auth0 api identifier (not "id")]
    Although the audience here is an url, it can be seen as just an arbitrary identifier. Its only purpose in this setup is to persuade Auth0 to give the client a jwt instead of an opaque token.

Amazon

Amazon setup mimics https://aws.amazon.com/developers/getting-started/browser/ but with Facebook replaced by your Auth0 tenant as needed. Similar setups may be seen live in https://web-identity-federation-playground.s3.amazonaws.com/index.html

We might switch to saml. https://github.com/NLTGit/pagaf/issues/11

Create an OpenID Connect Identity Provider in IAM. Its parameters are:

  • provider url: https://[auth0 tenant domain]/
  • audience: [client id from your auth0 application]
    This is not the same as the auth0.audience value in config.json

The provider url here matches the iss claim in the jwt; it must have a trailing slash.

Next create a Web Identity iam role with a trust relationship to the identity provider. The Amazon gui creates a trust relationship policy automatically when you create a Web Identity role. It should look like this:

Effect: Allow
Principal:
  Federated: arn:aws:iam::[something]:oidc-provider/[auth0 tenant domain]/
Action: sts:AssumeRoleWithWebIdentity
Condition:
  StringEquals:
    # I find it strange that you need this condition. The examples use it,
    # so I'm keeping it, but I would think that the identity provider's
    # verification of the audience would be adequate.
    #
    # Also note that the `aud` here is actually coming from the `azp` claim;
    # See the explanation on https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif
    # 
    [auth0 tenant domain]/:aud: [auth0 application client id]

Beware that changes to this trust relationship policy don't take effect immediately. Also, be sure to include all the trailing slashes.

Now attach policies to the iam role to control resource access. This policy sets up home directories in S3, similar to this example in Amazon docs. See home bucket setup for how to configure the bucket first, then come back to iam and attach this policy to the role:

- Effect: Allow
  Action:
  - s3:ListBucket
  Resource:
  - arn:aws:s3:::[home bucket]
  Condition:
    StringLike:
      s3:prefix:
      - "${[auth0 tenant domain]/:sub}/*"
- Effect: Allow
  Action:
  - s3:GetObject
  - s3:PutObject
  - s3:DeleteObject
  Resource:
  - arn:aws:s3:::[home bucket]/${[auth0 tenant domain]/:sub}/
  - arn:aws:s3:::[home bucket]/${[auth0 tenant domain]/:sub}/*

Add the Amazon parameters to config.json in the aws section:

  • farmerRoleArn: arn:aws:iam::[something]:role/[something]
  • homeBucket: [home bucket]

Now you should be able to visit the application and login with an Auth0 account at your tenant.

Clone this wiki locally