See the instructions here to use GitHub's feature to create a new repo from a template.
git clone [email protected]:dev-academy-challenges/boilerplate-full-stack-auth0.git [your-project-name]
cd [your-project-name]
cp client/auth_config.json.example client/auth_config.json
cp server/.env.example server/.env
npm install # to install dependencies
npm run knex migrate:latest
npm run knex seed:run
npm run dev # to start the dev server
You can find the server running on http://localhost:3000.
This repo includes:
- React Components:
- App
- Nav is used for login, logout, registration
- Authenticated is used for show/hide components if the user is logged in
- PingRoutes is used for testing the routes
- Users are used to display the registered users
- Registration is used to save the users' info after they are registered with Auth0
- an example database module (
server/db/users.js
) - an API client module (
client/apis/users.js
)
- Navigate to, Auth0.com and sign-up if you don't already have a tenant.
- Go to Applications, and click on Create Application button
- Give your application a meaningful name, then select Single Page Web Applications and click the Create button.
- In Auth0.com, set the Allowed Callback Url with
http://localhost:3000/
- In Auth0.com, set the Allowed Logout Url with
http://localhost:3000/
- In Auth0.com, set the Allowed Web Origins with
http://localhost:3000/
- In Auth0.com, create a new API and give it a name and an identifier, for example:
Default
andhttps://myapp/api
. This identifier will be used as theaudience
. Click Create. - On your new API page, click
Settings
and scroll down and to RBAC Settings and activateEnable RBAC
andAdd Permission in the Access Token
. - Go to
Permissions
, add the custom permissions that reflects your needs. For the purpose of this demo, create a permission calledread:my_private_route
.
Users who are assigned roles with these permissions will be able to access your back-end endpoints.
- If you have a REST API endpoint that you want it to be accessible only by users with a specific permission(s), you can add
[create|read|update|delete|use]:entityname
permission in Auth0.
Here are a few examples that may help you with modelling your routes with permissions:
Permission (Scope) | Description |
---|---|
read:employee |
Allows a user to view employees |
read:account_balance |
Allows a user to view account balances |
create:appointment |
Allows a user to create appointments |
update:reminder |
Allows a user to update reminders |
delete:song |
Allows a user to delete songs |
use:app |
Allows using an app |
Suppose you have an endpoint that returns the salary amount given the employee id. You don't want that to public or protected. Only users with whom have the read:account_balance
permission are allowed to consume this endpoint.
- Copy the Domain of your application in Auth0.com and paste it in the
domain
intoclient/auth_config.json
- Copy the Client ID of your application in Auth0.com and paste it in the
client
intoclient/auth_config.json
- Copy the API Audience URL from Auth0.com you created in the server setup and paste it in the
audience
intoclient/auth_config.json
In large companies and enterprises, assigning individual permissions to each user can be tedious. Instead, we use Roles. Roles are just a collection/container of permissions.
- In Auth0, and under User Management, click on Roles and click on create Role button.
- Give it a name and description, say Admin.
- Click on Permissions tab and click on add Permissions button.
- Select the API and the permissions you want to use for the role.
- Now the role is ready to be assigned for users.
- In Auth0 and under User Management, click on Users.
- Find the user you want to assign the Admin role to and click on it.
- Click on the Role tab, click on Assign Roles button and select the role from the drop-drown list.
Let's create a new application in Auth0, this application will be linked and connected to an out-of-the-box API that can retrieve metadata about users. This metadata will be the user's role.
- Go to Applications, and click Create Application button.
- Give it a name, for example,
Metadata Application
. - Select Machine to Machine Applications and click Create.
- Select the Auth0 Management API from the drop-down list.
- Open APIs tab and make sure that Auth0 Management API is enabled.
- Expand it and select the following permissions:
read:roles
read:users
read:role_members
- Open the Settings.
- Copy the Client ID and paste it in
AUTH0_MACHINE_2_MACHINE_CLIENT_ID
in the.env
file. - Copy the Secret and paste it in
AUTH0_MACHINE_2_MACHINE_SECRET
. - Set the
AUTH0_DOMAIN
to be your domain. It should look likehttps://mydomain.au.auth0.com
. - Set the
AUTH0_SSO_AUDIENCE
to be the sameaudience
in theclient/auth_config.json
.
Now the server will be able to get a new access token and retrieve the user's roles. If the logged-in user has a Role(s), it will be displayed next to the name. (see Nav.jsx
)
🎉 Congratulations! Your application is now Authenticated with Auth0 🎉