auth0

I am trying to create a spring resource server secured with oauth2. I am using auth0 for my auth2 service, and I have an api and client configured with scopes. I have a resource server that mostly works. It is secured, and I can use @EnableGlobalMethodSecurity and @PreAuthorize("#oauth2.hasScope('profile:read')") to limit access to tokens with that scope. However, when I try to get the Principal or the OAuth2Authentication they are both null. I've configured the resource server to use the JWK key-set-uri. I suspect that this has to do with the DefaultUserAuthenticationConverter trying to read

I started with Service Provider based SSO for SAML. Since the user had to enter his email before proceeding with the login, a state variable was initiated and passed on to the SSO. It comes back through the callback URL and hence was check again for the sanity purpose. It protected against CSRF attacks. Now IdP initiated SSO doesn't allow me to set state variable at all. Login starts at Identity Provider and only an auth token is provided to the app. I do not know which user is authenticating from the beginning. If I remove the state variable check, it could trigger a CSRF attack as well. I am

I'm trying to create a NestJS project that uses Auth0 for authentication, with the passport-jwt library (in conjunction with @nestjs/passport ), though I am unable to get it to work. I'm not sure where I'm going wrong. I've read the docs over and over again but still can't find the problem. Code /src/auth/jwt.strategy.ts import { Injectable, UnauthorizedException } from '@nestjs/common'; import { PassportStrategy } from '@nestjs/passport'; import { ExtractJwt, Strategy } from 'passport-jwt'; import { passportJwtSecret } from 'jwks-rsa'; import { xor } from 'lodash'; import { JwtPayload } from

I have an Auth0 client that's configured with the following callback URL: http://localhost:4200 I can log in just fine. The problem is when I navigate to a certain URL in my app: http://localhost:4200/places . Here's what happens: I navigate to http://localhost:4200/places Angular redirects me (correctly) to http://localhost:4200 I try to log in I get an error from Auth0 saying "The url " http://localhost:4200/places " is not in the list of allowed callback URLs". Auth0 is right, http://localhost:4200/places is not in my list of allowed callback URLs—and I don't want it to be. I don't want to

My use case is: Create users via API with custom fields, nominated password using any email address Update/disable those users via API 'Sign in' to Azure AD app with user details via rest API to obtain token Make authorised requests to Web API when token passed in Http header Can all of this be achieved with straight Azure AD/B2C or should I be looking at some other identity provider e.g. IdentityServer/Auth0? Edit 1 I'm getting very confused between AAD apps/users and B2C apps/users, there is very little guidance on what to use in this case. Using https://docs.microsoft.com/en-us/azure/active

I am authenticating users with auth0 to receive a id token containing the following claim "http://myapp.com/scope": "write" Using a Cognito identity pool with an OpenID authentication provider (namely, auth0), I am able to successfully get temporary credentials to access aws services. However, I want to restrict access to these services based on my custom claim above. I believe the proper way to do this is by editing the trust policy associated with my identity pool, but I am not sure how to add a condition to check for the above claim in my trust policy. The current default trust policy is {

I have created an Auth0 client, I am logging in and receive this token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVkdOa1l5T1VaQ1JqTkRSVE5EUmtNeU5rVkROMEUyUTBVMFJrVXdPVEZEUkVVNU5UQXpOZyJ9.eyJpc3MiOiJodHRwczovL3RvdGFsY29tbW56LmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwMzI5NzA4OTYyMTk5NjUwMjY2MiIsImF1ZCI6ImxTWUtXMUZZdENkMWJLQmdXRWN0MWpCbmtDU3R2dW5SIiwiaWF0IjoxNTA5ODYyMTI1LCJleHAiOjE1MTAyMjIxMjV9.kjmckPxLJ4H9R11XiBBxSNZEvQFVEIgAY_jj2LBy4sEJozBB8ujGE7sq9vEIjMms-Lv2q9WzFQPrqcxyBcYC4Je4QojMgvqLDCodtpot0QUle8QfGmonc1vZYIZyX-wqyOXtRqhoZVEKTeLhm9Le2CV4_a3BwgjkE1LjcDx01GZfsnaId8mh10kGk

Auth0 provides two JWT libraries, one for Node: node-jsonwebtoken , and one for Java: java-jwt . I created the private/public key pair, and used it successfully in Node with node-jsonwebtoken : var key = fs.readFileSync('private.key'); var pem = fs.readFileSync('public.pem'); var header = {...}; var payload = {...}; header.algorithm = "RS256"; var message = jsonwebtoken.sign(payload, key, header); var decoded = jsonwebtoken.verify(message, pem, {algorithm: "RS256"}); But I found no way of doing the same in Java with java-jwt . Anyone has a working example of how to use private/public keys for