This PoC includes a pizza website that demonstrates how you can integrate with Auth0 with the following requirements:
- Users can sign up only by username and password.
- Only existing users can log in via a social provider.
- Users must verify their email address before they can place an order.
- Orders placed are stored in the user profile.
- The user's order history is added to their ID token when they log in.
- Install Terraform
- Move terraform.tf.template to terraform.tf
- Add your domain, client ID and secret for use with the management API to the Auth0 provider configuration.
- Go to
Branding -> Universal Loginand click theLogintab. - Enable 'Customize Login Page'.
- Add the following lines above where Lock is instantiated:
const allowSignUp = !config.extraParams.prevent_sign_up;
const initialScreen = allowSignUp ? 'signUp' : 'login';
const allowedConnections = allowSignUp ? ['Username-Password-Authentication'] : ['Username-Password-Authentication', 'google-oauth2'];
- Update options to use the following:
allowedConnections: allowedConnections,
allowSignUp: allowSignUp,
initialScreen: initialScreen,
You will need to manually set up the account linking extension in the dashboard. If you have followed the Universal login steps above you can skip the Update the login page step here.
To prevent users from signing up via Google you will need to edit the rule generated by the extension.
Change:
if (targetUsers.length > 0) {
context.redirect = {
url: buildRedirectUrl(createToken(config.token), context.request.query)
};
}
to:
if (targetUsers.length > 0) {
context.redirect = {
url: buildRedirectUrl(createToken(config.token), context.request.query)
};
} else if(context.connection === 'google-oauth2') {
callback(new UnauthorizedError('Social login is only available for existing users'));
}
To ensure the user can return later if they abandon the linking process, change:
function firstLogin() {
return context.stats.loginsCount <= 1;
}
to:
function firstLogin() {
return true;
}
There is also an edge case where you can attempt to sign in via Google (which still creates a profile in Auth0) and then sign up as a standard user and link it to the Google account, making Google the primary identity.
You can prevent this by only allowing account linking when signing in via Google. Add the following at the start of the generated rule function:
if(context.connection !== 'google-oauth2') {
return callback(null, user, context);
}
You can find all the necessary files in deploy/aws/backend.
- You will need an IAM user with full access.
- You will need the AWS SAM CLI installed.
You will need to add a public certificate for your custom domain in AWS and set the ARN accordingly in template.yml.
- Move
template.yml.templatetotemplate.yml. - Replace the placeholders in the parameter defaults as follows:
AUTH0_DOMAIN- your Auth0 domain (e.g.,your-tenant.eu.auth0.com)DOMAIN_CERTIFICATE_ARN- refer to Custom domain configurationCLIENT_ID- client ID of the non-interactive application created by TerraformCLIENT_SECRET- client secret of the non-interactive application created by Terraform
- Move
.env.templateto.envand fill in the values as follows:
JWKS_IDENTIFIER- your Auth0 tenant's JWKS endpoint (e.g.,https://your-tenant.eu.auth0.com/.well-known/jwks.json)AUDIENCE- the identifier of the API created by Terraform (should behttps://pizza.auth.yoga/api)TOKEN_ISSUER- your Auth0 issuer (e.g.,https://your-tenant.eu.auth0.com/)
To deploy your API for the first time run sam deploy --guided.
Should you choose to save the configuration you can subsequently run sam deploy without the --guided option.
You can find all the necessary files in src and deploy/aws/frontend.
Move auth.config.json.template to auth_config.json and set the values as follows:
domain- your Auth0 domain (e.g.,your-tenant.eu.auth0.com)clientId- the client ID of Pizza 42 created by Terraformaudience- the identifier of the API created by Terraform (should behttps://pizza.auth.yoga/api)
Also set your API base URL in src/api/axios.js.
You will need a non-interactive IAM user with AmazonS3FullAccess policy attached.
You will need to have added a certificate for your custom domain in AWS.
Create an S3 bucket and restrict public access. The bucket name should be the same as your custom domain name.
Please refer to Configuring a static website using a custom domain registered with Route 53 for further details. Despite the title you do not need to use Route 53.
For HTTPS you will need to create a CloudFront distribution to serve requests for your S3 bucket.
Create a CloudFront distribution with the following settings:
- Set
Viewer Protocol PolicytoRedirect HTTP to HTTPS. - Add your custom domain to
Alternative Domains (CNAMES). - Choose
Custom SSL Certificateand create and verify a certificate in AWS Certificate Manager if necessary. - Set
Restrict Bucket AccesstoYes. - Set
Origin Access IdentitytoCreate a New Identity. - Set
Grant Read Permissions on BuckettoYes, Update Bucket Policy.
Once you have created the distribution, go to Error Pages and add a custom error response with the following:
- Set
HTTP Error Codeto403 - Set
Response Page Pathto/index.html - Set
HTTP Response Codeto200
This will allow you to visit application routes directly.
Set a CNAME record for your domain that points to your CloudFront distribution domain. This will be in the format xxxxx.cloudfront.net.
Set BUCKET_NAME environment variable and run deploy.sh. This script will create a build before syncing to S3.
Application based on https://github.com/auth0-samples/auth0-react-samples/tree/master/Sample-01 Authorizer based on https://github.com/auth0-samples/jwt-rsa-aws-custom-authorizer
This project is licensed under the MIT license. See the LICENSE file for more info.