Auth0 Regular Webapp Passwordless Account Link
This node.js regular web app sample illustrates progressive profiling by detecting the need to capture mobile information post authentication and auto-account linking a Passwordless SMS connection type.
Also offers examples on how to do:
- Embedded Lock usage
- Centralised Login usage
- Refresh Token usage
- Single Sign-On usage
- Single Sign-Out usage
- Calling Auth0 userinfo api endpoint
- Calling two different external APIs using same Resource API and different scopes
- Progressive Profile Passwordless Account Linking
This application demonstrates the usage of a single Resource Server with namespaced scoping representing multiple APIs. This sample consists of:
- 2 Node.js APIs:
contacts
andcalendar
(you can think of them as microservices); - 1 Resource Server representing the 2 APIs;
- 2 Namespaced scopes:
read:contacts
andread:calendar
; - The Code Authorization Grant flow to obtain an
access_token
that works for both APIs
Illustration of Progressive Profiling for Mobile Number
Setup
Dashboard
You will need to create an API using the Auth0 Dashboard called organiser Service
with the unique identifier organise
(this is later used in the
audience
parameter of your Authorization URL).
The API needs two namespaced scopes:
read:contacts
read:calendar
Also need to
- Switch
Skip User Consent off
for the Organize Resource Server in Auth0 Dashboard - Switch on
Allow Online Access
for the Organise Resource Server in Auth0 Dashboard
Create a regular web application Client.
Under settings ensure you have:
Client-Type: Regular Web Application
Allowed Callback URLs:
Allowed Web Origins:
Allowed Logout URLs
Under tenant settings -> advanced -> Allowed Logout URLs
Under Advanced Settings -> Oauth, switch ON the OIDC Conformant toggle.
Connection Setup
Set up two connection types - SMS Passwordless and a vanilla username/password Database connection. Ensure each is associated with your Client.
This is important for the Passwordless SMS Account Linking.
Rules Setup
Copy the rule rules/check-sms-account-linked.js
into a new Rule in the Dashboard.
Name the Rule appropriate eg. Check SMS Account Linked
You will have to adjust the 2nd line to match your own client ID
Locally
Add:
127.0.0.1 app1.com
to your /etc/hosts
file.
This is important, all references locally are to app1.com
and not localhost
.
Required for cross-origin and SSO to work properly.
Running the Sample
Install the dependencies.
npm install
Rename .env.example
to .env
and replace the values for AUTH0_CLIENT_ID
,
AUTH0_DOMAIN
, and AUTH0_CLIENT_SECRET
(plus other settings) with your Auth0
credentials. If you don't yet have an Auth0 account, sign
up for free.
# copy configuration and replace with your own
cp .env.example .env
Enable Cross Origin Authentication
In order to be able to log-in with user and password you need to make sure you take into account the details explained in the Cross Origin Authentication documentation.
Run the Application
Run the application by executing the command below.
npm start
The app will be served at http://app1.com:3000
.
Two APIs are also running on ports 3001
and 3002
What is Auth0?
Auth0 helps you to:
- Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, amont others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.
- Add authentication through more traditional username/password databases.
- Add support for linking different user accounts with the same user.
- Support for generating signed Json Web Tokens to call your APIs and flow the user identity securely.
- Analytics of how, when and where users are logging in.
- Pull data from other sources and add it to the user profile, through JavaScript rules.
Create a free account in Auth0
- Go to Auth0 and click Sign Up.
- Use Google, GitHub or Microsoft Account to login.
Issue Reporting
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
Author
License
This project is licensed under the MIT license. See the LICENSE file for more info.