How To Define Modern Means Of Authentication Auth0 In Java?

After getting tremendous response from the readers, Aegis Softtech’s expert Java developers team once again brings new post in which experts are going to explain the concept of Auth0 and its uses. The java application development team once questioned about how to add Auth0 as an identity provider in AWS and to answer it, developers have worked with efficiency on related project that is also instanced in this post. Keep reading further to know more.

What is Auth0?

We all are aware of how authentication takes place by the traditional ways. Enter the login and password into the respective text boxes and zoom, you are good to go. The website, server gives you full access to the resources you have logged in to, and he/she can do anything and everything they want to do. Several examples of such login modules include, facebook.com, yahoo.com, gmail.com and many many others. Such authentication is very easy to implement. A certain amount of security is added to such modules which encrypt the credentials so that it is not easily hacked into by anyone. Java also offers a variety of security mechanisms that offer to protect the credentials and in all protect the Login module. But this is still the traditional approach. A more modern approach is provide roles to every user so that when he/she logs in, they are granted only certain access of the entire application. What if, I want to implement a scenario, wherein the credentials itself will be temporary. i.e., the credentials that I receive live only for a certain period of time after which I have to again request for the new credentials to continue the operations.

Why Auth0?

Many people have heard of OAuth. OAuth is a framework offered by Google to enhance the security that is being used to implement sensitive transactions or to access sensitive information. The basics of OAuth lies in providing a so called Bearer Token that can be used to access the resources in place of the user name and the password. There is yet another framework for security, Auth0. There is quite a difference in both technologies. While OAuth is used to provide a token for transactions, Auth0 is used to provide temporary credentials to a user enabling him to perform transaction for a certain period of time. Once the credentials expire, the user has to again request Auth0 to provide a new set of credentials to continue processing.

AWS and Auth0

Amazon Web Services (AWS) is a Cloud Service and it is one of the largest Cloud providers amongst all those who are available. AWS comes with a bunch of services, all of them catering to the cloud model, that allows any application to use the powerful advantages that the Cloud model suggests. Starting from sharing of the processing power, to the database, to the security system, to the sharing of computer hardware, it is one-stop-shop for any cloud requiring application.

Consider a use case wherein I would want to restrict the user from unlimited access to Amazon Web Services by simply providing him with the secret_key and access_key (they keys to access AWS). I would want to restrict the user to perform only some functions on AWS and also restrict him from indefinite access to those AWS resources by providing him with the temporary credentials. In order to achieve the functionality of temporary credentials for temporary access to AWS Services, a user has to request for the temporary credentials via Auth0. The logical flow to retrieve the credentials is as follows:

• 1. User requests for temporary credentials to Auth0
• 2. Auth0 delegates the request for the same to AWS
• 3. AWS returns to Auth0 with a set of temporary credentials if the delegated request happens to be an authentic one.
• 4. Auth0 then delegated those requested credentials to the user requesting them.

One might arise the question immediately as to why would AWS trust someone like Auth0 in the first place to give away its credentials. AWS doesn't recognize Auth0 and vice-versa. To achieve this trust relationship, one has to configure AWS to trust any request that comes via Auth0. Auth0 has to be added as an Identity Provider in AWS IAM (Identity and Access Management) in order to establish the trust relationship. Thereafter any request that will be delegated from Auth0 to AWS for temporary credentials will be considered as authentic one and therefore granted.

Add Auth0 as an Identity Provider in AWS

The following screen shots show how to add Auth0 as an Identity Provider in AWS.

In the metadocument field, one has to upload a file that is generated by Auth0 account that serves as the actual trust relationship between the two parties.

Once the trust relationship has been established, one has to configure IAM policies so that every request from Auth0 is not given complete access to all AWS resources. We need to limit down the permissions that is given to the user when he is given with the temporary credentials. Let us see how AWS restricts the usage of AWS Kinesis resources when any request comes from Auth0. To create this, we have to create a Role in AWS Analytics Solutions that defines the permissions that have to be granted.

Create a New Role in AWS IAM.

Mention any name to the Role

Select the option of Grant API access to SAML providers

In the value section, one has to mention the name of Auth0 organization which is meant for AWS to determine that only requests from the particular Auth0 org shall be granted.

This is the visual presentation of the mutual trust between the two.

Here we have to select a policy which defines the permissions that has to be granted. Here we are selecting the policy to be Read only access to Kinesis.

Review the policy and we are good to go.

Henceforth, any request from Auth0 to AWS with the role name as mentioned, will only be given the permissions of Kinesis read only part.

Auth0 Rules

function(user, context, callback) { varstreamToGrant = context.request.body.streamToGrant; var prod = user.Seller; if(prod!=null && prod != "" && prod != undefined) { var producers = prod.split(","); if (context.protocol === 'delegation') { for (vari = 0; i<producers.length; i++) { if (producers[i] === streamToGrant) { user.sub = streamToGrant; break;} } } } callback(null, user, context); }

In the above example, Auth0 expects a variable called producerStreamToGrant. It checks for its existence, and if it is found in the request, Auth0 will delegate the call to Auth0 along with the variable, and AWS in return will give back the credentials that has read only access in Kinesis only for that stream.

How to use Auth0?

Auth0 is basically a service that can be accessed from a variety of programming languages via the REST service interface. We shall be discussing the Java approach to the system, because the Java team in the company has had a long experience developing the applications using Auth0 to connect with AWS. The pre-requisites for operating in Java would be a JAVA SDK installed on the machine. Java development being the strong part, the article will mainly focus on accessing Auth0 using Java.

Auth0 API?

Following are the most important Auth0 API calls that are used very frequently and are the ones that we have been using in our projects.

1. RegisterUser: This is the API call that is used to create an a new user in Auth0.

JSONObject json = new JSONObject(); json .put(''email'', username); json .put("password", password); json .put("connection", "Username-Password -Authentication"); json .put("email_verified", true); DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost postRequest = new HttpPost("Registration URL"); StringEntity entity = new StringEntity (json.toString()); postRequest.setEntity (entity ); postRequest.setHeader ("Authorization","bearer " + authenticationToken); postRequest.setHeader("Content-Type", "application/json"J ; HttpResponse response = httpClient.execute(postRequest);

One has to always fetch an authentication token while calling any API service call to Auth0. The code to fetch an authentication token is as follows:

JSONObject json = new JSONObject(); json.put("client_id" .Auth0Constant.AUTH8_ CLIENTID) ; json.put("client_secret", Auth0Constant .AUTH8_CLIENTSECRET); json.put("grant_type", "client_credentials"); DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost postRequest = new HttpPost("Authentica tion URL"); StringEntity entity = new StringEntity(json.toString()); postRequest.setEntity (entity); postRequest.setHeader("Content-Type", "application/json"); HttpResponse response = httpClient .execute(postRequest);

One has to pass the CLIENT_ID and CLIENT_SECRET provided by Auth0 while fetching the authentication token from Auth0.

2. Auth0Login: This API is used to login into Auth0 using a username and a password

JSONObject json = new JSONObject(); json .put("client_id" , "Auth0ClientID"ll; json .put("username", username); json .put("password" , password); json .put("connection" , "Username-Password-Authentication"); json .put("grant_type", "password"); json .put(''scope'', ''openid''); DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPost postRequest = new HttpPost(authUrl); StringEntity entity = new StringEntity(json .toString()); postRequest.setEntity(entity); postRequest.setHeader("Content-Type", "application/json"); HttpResponse response = httpClient.execute(postRequest);

3. DeleteUserFromAuth0: This API call is used to remove a user from an Auth0 account.

DefaultHttpClient httpClient = new DefaultHttpClient(); HttpDelete getRequest = new HttpDelete(url); getRequest.setHeader("Authorization","bearer "+authenticationToken); getRequest.setHeader("Content -Type", "application/json"); HttpResponse response = httpClient .execute(getRequest);

4. ChangePasswordURL: This API is used to change the password of an Auth0 account.

JSONObject json = new JSONObject(); json.put ("email", username); json.put ("password ", newPassword) ; json.put ("connection", "Username -Password -Authent icat ion"); json.put ("verify", true); Def aultHttpClient httpClient = new DefaultHt tpClient(); HttpPut put Request = new HttpPut("Change Password URL"); StringEntity entity = new StringEntity(json.toString()); putRequest .setEntity (entity); putRequest .setHeader ("Aut horization ","bearer" + authenticat ionToken); put Request .setHeader ("Content -Type", "application/ json"); HttpResponse response = httpClient .execute(put Request);

5. LogoutAuth0: This API call is used to logout from Auth0

DefaultHttpClient httpClient = new DefaultHttpClient(); HttpGet getRequest = new HttpGet(logoutUrl); HttpResponse response = httpClient.execute(getRequest);

6. FetchMetadata: This API is used to fetch the metadata of an account in Auth0

DefaultHttpClient httpClient = new DefaultHttpClient(); HttpGet getRequest = new HttpGet(url); getRequest.setHeader (•Authorization","bearer "+ authenticationToken); getRequest.setHeader ("Content-Type", •application/json"); HttpResponse response = httpClient .execute(getRequest); HttpEntity hentity = response.getEntity();

7. UpdateMetadata: This API call is used to update the metadata of an account in Auth0

DefaultHttpClient httpClient = new DefaultHttpClient(); HttpPut postRequest = new HttpPut(url); StringEntity entity = new StringEntity (json.toString()); postRequest.setEntity (entity); postRequest.setHeader("Authorization","bearer "+authenticationToken); postRequest.setHeader("Content-Type", "application/json"); HttpResponse response = httpClient .execute(postRequest);

8. CheckUserExistence: This API call is used to check whether a user already exists in Auth0 or not.

DefaultHttpClient httpClient = new DefaultHttpClient(); HttpGet getRequest = new HttpGet("Check Existence URL"); getRequest.setHeader ("Authorization","bearer" + authenticationToken); getRequest.setHeader ("Content -Type", "application/json"); HttpResponse response = httpClient.execute(getRequest);

Hope you have grasp the concept of Auth0 and the trick to add it as an identity provider in AWS. This post is shared by Aegis Softtech Java application development team to enhance the skills of java developers. For java development related queries, kindly contact Aegis Softtech professionals.

For further information, mail us at [email protected]