Skip to content

Instantly share code, notes, and snippets.

@woloski
Last active Sep 13, 2016
Embed
What would you like to do?
webtask + auth0
wt create webtask.js --auth0

When browsing the webtask URL, the user will get a page with Lock. Once logged in, the result of the webtask will be shown.

The webtask will now have an "authenticated context" accesible through context.user.

Implementation note: use Lock popup mode and once you get the JWT, call the webtask from AJAX. The webtask is protected with JSON Web Tokens signed with a shared secret. Identity providers available: Google, GitHub and Facebook.

You can further restrict who can access the webtask by doing:

wt create webtask.js --auth0 --emails="@company.com, foo@gmail.com, regex.*@foo\.com"

We will check the email of the authenticated user and compare against these constraints and also check that email_verified is true.

Finally, allow the user to connect it to its own Auth0 account:

wt create webtask.js --auth0 --clientId=... --clientSecret=... --auth0Domain=....

If you browse the webtask now, the same thing as before happens but now you can control what identity providers to use. If you are building an application, you can now use Auth0 for authentication (using auth0js, oauth/ro or whatever you want to obtain a token) and call webtask with a valid JWT.

@tjanczuk

This comment has been minimized.

Copy link

@tjanczuk tjanczuk commented Jul 14, 2015

Do you expect this to authenticate the user (pop up UI), or only accept JWTs obtained out of band?

@tjanczuk

This comment has been minimized.

Copy link

@tjanczuk tjanczuk commented Jul 14, 2015

In other words, do we target serving HTML or is this just for HTTP APIs?

@woloski

This comment has been minimized.

Copy link
Owner Author

@woloski woloski commented Jul 14, 2015

Just APIs for now. We can also have a "bolierplate" page that has Lock in it that will use Auth0 and get an id_token back and use that to call webtask

@mgonto

This comment has been minimized.

Copy link

@mgonto mgonto commented Jul 15, 2015

I like it. I don't think it's 100% clear how the --auth without the --clientSecret will work for the excercise. Will he hardcode his Auth0 client secret or how will that work in that case?

Also, I think it should be possible to specify only secret and not id.

BTW, Auth0 client secret are base64 encoded, do we support both plain and encoded for using this without Auth0? How will that work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment