HTTP Commander Auth0 integration
Auth0 - Single Sign On & Token Based Authentication Platform.
Auth0 is an enterprise-grade platform for modern identity.
Auth0 secure and solve the most complex identity use cases with an extensible,
easy to integrate platform that powers billions of logins every year, in both public cloud and
on-premise deployments.
Enabling Auth0 support
To use Auth0 authentication in HTTP Commander, follow these steps:
-
Only the Forms version
of HTTP Commander is used
-
If you do not already have an Auth0 account, sign up
Screenshots
After creating an account, you can immediately choose what
types of authentication to use (social logins, database)
Screenshot
-
Go to the Auth0 Dashboard and
press the + NEW CLIENT button. Enter Client name, select type
Regular Web Applications and press the Create button
Screenshots
-
After creating the Client, go to the Settings tab and in the
Allowed Callback URLs field, specify the full address
in lowercase on Handlers/AnonymousDownload.ashx (for example
https://yourdomain.com/htcomnet/handlers/anonymousdownload.ashx)
and press the SAVE CHANGES button below
Screenshot
-
Next go to Account Settings → Advanced and in the
Allowed Logout URLs field, specify the full path to the Default.aspx page
(for example, https://yourdomain.com/htcomnet/default.aspx) in the
lowercase and press the SAVE button
Screenshots
- For more info see Clients documentation
-
Then return to the Auth0 Client settings (Clients → Your Client Name → Settings tab).
Next open the HTTP Commander settings (Admin Panel → Settings tab) in the separate tab,
enable the display of advanced parameters, and in the Auth0 section fill in the corresponding parameters
(Auth0Domain, Auth0ClientId,
Auth0ClientSecret), and set
EnableAuth0 = true (see also other
settings in Auth0 section). After that,
save the settings and restart the application.
Screenshot
-
Further it is necessary to add a section system.identityModel,
module SessionAuthenticationModule and machineKey settings
in a Web.config file.
Attention! If you do not do this (or do not do it completely), you will receive an error message
ID7027: Could not load the identity configuration ... at the time of loading, or when you try to log in, the Auth0 Lock screen will always be displayed.
To add these settings, open the Web.config file (from HTTP Commander root folder) in a text editor (for example, notepad)
and make the following changes:
-
Uncomment (or add if not exist) system.identityModel config section in configSections:
...
<configuration>
<configSections>
...
<!-- To enable Auth0 - uncomment the line below, to disable - comment out -->
<section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>
</configuration>
...
Screenshot
-
Uncomment (or add if not exist) SessionAuthenticationModule module in system.web/httpModules:
...
<httpModules>
...
<!-- To enable Auth0 - uncomment the lines below, to disable - comment out -->
<remove name="SessionAuthenticationModule" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</httpModules>
...
Screenshot
-
Uncomment (or add if not exist) machineKey config at end of system.web section:
...
<!-- Set machine key for cross-autentication forms and Auth0 -->
<!-- To enable Auth0 - uncomment the lines below -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
...
Screenshot
Attention! Be sure to replace the values of the
validationKey and decryptionKey attributes.
To do this, use the instruction
Add machineKey sections to web.config files.
-
Uncomment (or add if not exist) SessionAuthenticationModule module in system.webServer/modules:
...
<modules>
...
<!-- To enable Auth0 - uncomment the lines below, to disable - comment out -->
<remove name="SessionAuthenticationModule" />
<add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" preCondition="managedHandler" />
</modules>
...
Screenshot
-
And finally, uncomment (or add if not exist) system.identityModel section settings at the end of the Web.config file:
...
<!-- To enable Auth0 - uncomment the lines below, to disable - comment out -->
<!-- TODO: The MachineKeySessionSecurityTokenHandler makes use of the machine key. Please configure that from system.web/machineKey -->
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
</configuration>
Screenshot
Attention! If you want to disable Auth0 integration, be sure to (except EnableAuth0 = false)
comment out the changes in the Web.config file that are described above.
Screenshot
Users management
After setting up Auth0, storing, authenticating and managing users and groups is carried out in the Auth0 platform (Accounts.xml is not used anymore)
To create and manage users, go to the Users section.
Screenshots
Also, you can enable logins using social connections (Connections → Social).
After enabling the Social Connection that you need, do not forget, after saving the setting, also enable the previously created HTTP Commander client on the Clients tab in the provider setup.
Also, some social providers (eg Bitbucket) require their Client ID to be specified, instead of the Dev Key from Auth0.
Note! If you use the Social Connections, be sure to mark the attribute with the e-mail address
in the settings of each connection so that it is transmitted with the user profile at the login.
This is required so that you can use the template %USEREMAIL% in the path to the folders.
Note also that Twitter does not support the transfer of e-mail when you login.
Also, for paths to folders, the template %USERID% is supported,
instead of which the user ID Auth0 is substituted, for example, auth0|560ebaeef609ee1adaa7c551 or google-oauth2|115015401343387192604.
In addition, you can configure the rule to automatically merge the logins with the same e-mail, into one account.
It is recommended that you use the Link Accounts with Same Email Address while Merging Metadata rule template
to save the list of groups to which these accounts belong. Please see Automatic Account Linking manual.
See also Social Login - Time to implement it in your apps.
Screenshots
In addition, you can configure many other parameters, for example such as: password policy, require username, etc..
(go to Database Connections and select Username-Password-Authentication).
Screenshot
Also, you can enable / disable in the Auth0 logon screen (Auth0 Lock) options to recover the password,
if enabled parameter EnablePasswordRecovery or sign up,
if enabled parameter EnableAnonymRegister,
but keep in mind that if you are in the Database Connections settings
Disable Sign Ups, then the parameter EnableAnonymRegister
will not affect the ability to register to new users.
And also customize the logo and header text using parameters
LoginFormHeaderLogoUrl and
LoginFormHeaderHtml.
For more info see User Profile documentation.
Setting up and managing groups
Be sure to configure the support groups in Auth0. This is required for administrators to access the HTTP Commander
(parameter Administrators) and configure the permissions for folders
(Folder permissions). To do this, follow these steps:
-
Go to Auth0 Extensions, select and install
Auth0 Authorization extension
Screenshots
-
After install extension, go to configuration (from the account drop-down menu at the top right), enable all settings dependent with groups and press the
PUBLISH RULE button
Screenshot
-
Next, go to Groups section, create groups and include users
Screenshots
-
Next, go to Rules section,
click the + CREATE RULE button, select empty rule template, specify rule name and paste next rule code below:
Rule code
function (user, context, callback) {
var namespace = 'https://element-it.com/';
context.idToken[namespace + "groups"] = user.groups;
callback(null, user, context);
}
-
For more info see Auth0 Authorization Extension Help
-
Additionally, you can configure a rule to automatically add new users to an existing group.
For example, new social logins in the created group 'Social'. For this:
-
Go to Advanced tab in the Account Settings
and Enable APIs section. After that, go to the API section that appears in the menu on the left and click
GOT IT! LET'S ROCK!
Screenshots
-
Next, go to Authorization section and on the opened page
Account Settings → API. Enable API Access and press the
SAVE button
Screenshot
-
Then, go to the API section,
in the list that appears, click auth0-authorization-extension-api, click the
Non Interactive Clients tab. Next, enable authorization for the previously created HTTP Commander client,
select all scopes and click UPDATE and then CONTINUE buttons
Screenshots
-
Next, go to Rules section,
click the + CREATE RULE button, select empty rule template, specify rule name and paste next rule code below:
Rule code
function (user, context, callback) {
// if second or more logins - is not sign up - contunue
if (context.stats.loginsCount > 1) {
callback(null, user, context);
}
var domain = 'YOUR-DOMAIN.auth0.com (eg: you.auth0.com)',
clientId = 'YOUR-CLIENT-ID',
clientSecret = 'YOUR-CLIENT-SECRET',
baseUrl = 'https://YOUR-DOMAIN.us.webtask.io/adf6e2f2b84784b57522e3b19dfc9201',
groups = [ 'GUID-OF-YOUR-GROUP' ];
// run only for the specified client and social connections
if ((context.clientID !== clientId) || !user.identities[0].isSocial) {
return callback(null, user, context);
}
getAccessToken(domain, clientId, clientSecret, function(err, token) {
if (!!err) {
return callback(err);
}
addUserToGroups(baseUrl, user.user_id, groups, token, function(err) {
if (!!err) {
return callback(err);
}
callback(null, user, context);
});
});
function addUserToGroups(baseUrl, userId, groups, token, cb) {
request.patch({
url: baseUrl + '/api/users/' + userId + '/groups',
headers: {
'Authorization': 'Bearer ' + token
},
json: groups,
timeout: 15000
}, function(err, response, body) {
if (!!err) {
return cb(err);
}
if (response.statusCode !== 204) {
return cb(new UnauthorizedError('Error while adding user to groups: ' + body.message || response.statusCode));
}
return cb(null);
});
}
function getAccessToken(domain, clientId, clientSecret, cb) {
request.post({
url: 'https://' + domain + '/oauth/token',
json: true,
form: {
audience: 'urn:auth0-authz-api',
client_id: clientId,
client_secret: clientSecret,
grant_type: 'client_credentials'
},
timeout: 15000
}, function(err, response, body) {
if (!!err) {
return cb(err);
}
if (response.statusCode !== 200) {
return cb(new UnauthorizedError('Error while getting token: ' + body.message || response.statusCode));
}
return cb(null, body.access_token);
});
}
}
Instead of YOUR-DOMAIN (without auth0.com suffix),
YOUR-CLIENT-ID and YOUR-CLIENT-SECRET specify the
previously configured values.
Instead of GUID-OF-YOUR-GROUP specify the GUID of the group you want.
To find out the group GUID go to
Auth0 Dashboard →
Authorization → Configuration (from drop-down account menu at right top) → Import / Export tab
and find _id field for your group.
After update rule code, click the SAVE button and drag the created rule to top in rules list.
Screenshots
-
For more info see Forum topic: How to auto-assign a set of permissions (from a role).
Restrictions
-
Attention! Further, it is necessary to set up support for Auth0 groups,
because access to folders in HTTP Commander is configured based on groups (or regular expressions).
The templates %USEREMAIL% and %USERID%
(eg. auth0|58eb747607569f19d5c62c8f) for paths to folders are also available.
-
Note 1! When Auth0 authentication is used, editing in MS Office / OpenOffice desktop applications
(by WebDAV protocol) is possible only if the parameter AnonymousEditingOffice = true. The ability to map WebDAV folders is missing.
-
Note 2! Also, when Auth0 authentication is enabled:
-
Note 3! It is also recommended in the settings of email notifications,
use user groups instead of specific user names.
Troubleshooting
-
If you see the error ID7027: Could not load the identity configuration ...
when you open HTTP Commander,
Screenshot,
then it is necessary to correctly configure the
system.identityModel section,
SessionAuthenticationModule module and
machineKey in the Web.config file, for this, refer to the
instruction.
-
If you see the Error occurred during a cryptographic operation
when you open HTTP Commander,
Screenshot,
then it is necessary to add and correctly configure the
machineKey settings in the Web.config file, for this, refer to the
instruction.
-
The Auth0 Lock login screen opens successfully, but when you enter the correct user name and password, the login form appears again each time.
To fix it, properly configure Web.config and
make sure that the SessionAuthenticationModule is included in the system.webServer/modules
(and system.web/httpModules) section.