-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How is this package specific to Auth0? #224
Comments
You may very well be right. This package was created a few years back and we probably thought that Auth0 was the only identity provider supporting this protocol, or in any case we weren't using any others so we didn't want to assume it was generic while in fact it would work only with Auth0. Now the implementation is fairly simple but I think the best way forward to repurpose this is to have a confirmation that it works with other implementations as well. You said you were going to use it against an open source implementation, right? What best opportunity to check that it's working! :) Would you like to try it out and let us know if it works? |
Great, makes sense! 👍🏾 I'm planning to use it in an open source API server we'll start building in a few weeks, but the actual identity server is likely to be Google Identity-Aware Proxy (IAP) in our case. However, being our server open source and cloud-agnostic, other people could configure it to use Auth0, Cognito, etc. I haven't tried it yet, but one thing I just noticed might be problematic is the JWK URL: IAP doesn't use the Line 94 in df43876
Would you accept a PR to make the whole URL customisable? The |
absolutely! |
Fantastic! In that case I'll wait until we're ready to integrate IAP and create a single PR, in the very unlikely event that more changes were needed. |
@gnarea just checking if you managed to make any progress on this |
Thanks for checking in @simoneb! We haven't started yet as the project isn't 100% confirmed but if it all goes according to plan we should start in a month or so. |
No problem, keep us posted! |
I finally got round to looking into this, and got a proof of concept working. I've tested it with mock-oauth2-server. It's all very pretty straightforward but there's a couple of design decisions we should make before I propose a PR with tests: Domain vs URLWe're currently taking a I think the latter is worth considering if we're also dropping "auth0" from the name of this package. Certificate vs public keyThe current implementation is passing a PEM-encoded X509 certificate as a "secret" to Whilst it's certainly valid to pass the certificate as it contains the public key, I don't know why the original implementation didn't just convert the key from JWK to PEM. It's very unlikely, but maybe this is a workaround that was needed at some point -- and if it was indeed needed at some point, maybe old Auth0 tenants may be behind a feature flag that preserves the old (bogus) behaviour. All of this is extremely unlikely and I think we can just convert the key from JWK to PEM unconditionally. However, if we want to be extra cautious, we could do it only when the certificates are missing. |
Hi all, How to releaseSince we’re going to make We might work on a PR here and when good enough we could check it out on a new repo. In this regard we should find a good new name for it:
This would be a good moment to introduce the few expected breaking changes. auth0 support off the shelfSince we’re considering deprecating Back to the questionsDomain vs URLAs I said it's a good opportunity to introduce breaking changes which DX could benefit from. I would suggest designing APIs supporting Certificate vs public keyTrying to get more context:
If there is a more standard way to do so which works with Thanks again for raising this issue. I'm happy to discuss with you all any of the mentioned points. |
Thanks for looking into this @toomuchdesign! To answer your questions: How to releaseAgreed it'd be good to fork the project. Re: name, I think JWKS is the key word here. So maybe something like Re: breaking changes, I think it'd all be around the
auth0 support off the shelfWithout any further changes to accommodate Auth0 tenants, they'd just have to specify the full URL, including the Auth0 tenants won't have to change anything else if they were to migrate to the new package. Certificate vs public keyI'm not sure, it looks like the use of the certificate has always been around since the first commit: https://github.com/nearform/fastify-auth0-verify/blame/b6fc1006135b28dbcce5c3312e215ae728a16af2/index.js#L93
Makes sense, and I think the approach I'm proposing would meet those requirements. |
Thanks for the quick reply! Sounds good to me 👍 I was thinking that as soon as we decide the new name, we might create a new repo and move the operations there. I've just realised that the Beside the public
I understand they are private attributes, therefore we could safely rename those to something more generic, right? |
Thanks @toomuchdesign! Agreed 👌🏾 Re: |
Both Line 131 in 37c2baf
Are they going to be still relevant in the new vendor agnostic implementation? |
I meant people using this plugin shouldn't need to use those values directly, but we'll still need them inside the plugin -- although we don't need them to be decorated on the Fastify instance or request. |
Hey folks, thanks for looking into this. I think we have two options on the table:
I don't have strong opinions but whatever we do, we should decommission the old one to avoid having to maintain 2 codebases and 2 packages. My personal preference nonetheless would be for option 2) nonetheless. In any case and regardless of the decision, we should first make sure we have a service to test this against, to make sure that any chances we do are working. @gnarea do you have any recommendation about a spec-compliant service other than auth0 that we can use to test that whatever changes we make, this keeps working? |
So we have now integration tests against auth0! @gnarea would you mind opening a PR with your work so that we work together there? (we might need to rebase over the just updated master, happy to land a hand if the case) Also is there any JWT based auth provider you would recommend to add integration tests for? In the meanwhile I'm considering adding integration tests against https://www.npmjs.com/package/oauth2-mock-server |
Hi @gnarea! I'm taking a look at this oauth2 Fastify plugin: Is it able to fulfil your use case or it has something missing? UPDATE: I understand |
Hey folks! I'm terribly sorry for going quiet suddenly. I've been dealing with a couple of things that require my full attention, but things are going back to normal soon so I should be able to follow up on this by Monday at the latest. |
We can now close this because we have:
|
Hey everybody. That's fantastic, thank you so much! |
I've just checked the code and can't really see how it's specific to Auth0. It just looks like a spec-compliant package so it should work with any spec-compliant id server as far as I can see (the main spec here being RFC7517 or JWK). Right?
I'm considering using this package on an open source API server, and I don't want operators to be tied to Auth0, which is why I wanted to check.
The text was updated successfully, but these errors were encountered: