Auth0 custom claims - jwt

Im thinking of using Auth0 for my API and web application and have a query . When the Jwt token is generated I would like to include some custom user claims that only exist in my user database. Is this possible or do all claims need to exist as pre-defined attributes in Auth0.
I have my own user database because there are some dynamic and complicated user permissions that I need to store there. I realize that one option is not to store these permissions in the token and I could have a separate api to get them but for performance and simplicity I'd rather wrap them into the Jwt token. I can't seem to see a way to do this.
Thanks in advance

You can do that using Rules and Custom Claims, and they don't have to be predefined or even persistent in a user profile.
See
https://auth0.com/docs/scopes/current/custom-claims
https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims
for docs and examples.

Related

Keycloak getting identity provider token of user (Github)

I have successfully implemented Keycloak within my application, with the ability to login via Github.
Since I want to save the user's information in my own database, I have written an EventListenerProvider (in JAVA), to store the user's Keycloak ID and E-mail in my own database.
When the user registers and/or login's through Github, I want to also get the Github token (and if need be the refresh token) and store it in my database. Preferably I would do this by creating an EventListener of sorts that does this during the registration process.
Is this possible at all and what is the best way to do this (preferably during registration or first sign-up moment)? Thanks in advance for any advice or pointers, much appreciated.
I have read the documentation and seen that this can be done through Keycloak API call, but that's not what I am looking for.

Correct way to customize keycloak access token with scenario where we're using azure ad as authentication provider[Keycloak]

We are using azure ad as an idp for authentication, We want to add additional attributes like roles etc. to the access token. These additional attributes are coming from existing application.
What is the correct way to get these attributes from existing system and add to the access token?
You can build your own custom claim mapper as presented in here. Which reads the custom claims from the application and adds them to the token.
Alternatively, you can also use script mappers. Finally, you can also have a look at UMA flow and use the feature of pushing claims.

Is there a way to authorize users with existing account only?

Iam working on a flutter mobile application where i use Google SignIn for Auth, is there a way to authorize users with existing account only?
Prevent users from creating new accounts? I've looked for the same thing without finding a way to do this with any Firebase project setting.
The solution, I believe, is consider the difference between authentication and authorization. Firebase's Authentication service is aptly named. It does authentication
- validates that a user is actually who they claim to be. It does not do authorization - control what actions authenticated users are allowed to perform or what data they can access within an application. App developers have to be responsible for managing user authorization.
One way to do this is to maintain a collection of "authorized users" in Firestore, for example. When a user authenticates, your app would perform a lookup to see if the current user is actually authorized or not. Security rules can be written for Firestore and Firebase Cloud Storage to also validate that the current user is in the "authorized users" collection before allowing access to data. But this requires extra data queries to obtain this authorization info.
The authorization method I prefer is to use Custom Claims which can be assigned using the Firebase Admin library. A custom claim can be added to an existing user account that can act as a flag indicating what type of authorization they're granted. Front-end code can check the authentication token they've been issued for the custom claim to determine the authorization they've been granted. Server-side code and security rules can also check for those required custom claims within submitted requests.
Realistically, any application you build where different users might have different levels of access will require you to deal with authorization. I believe that assigning carefully thought-out custom claims is the best solution.

Why is UserDetailsService being used in filters? JWT

I checked a lot of tutorials and examples of jwt, for example, if you google "spring-security jwt example" you will probably see those links:
https://www.callicoder.com/spring-boot-spring-security-jwt-mysql-react-app-part-2/
https://dzone.com/articles/spring-boot-security-json-web-tokenjwt-hello-world
https://www.javainuse.com/spring/boot-jwt
Question) Their authFilters use UserDetailsService, so they fetching data from Database as it just a Simple Token, and not JWT.
So I think I don't understand something.
UPD: what I would do:
Or create my custom Authentication and custom AuthProvider.
Or just use JwtUtil class which will decode jwt and then create default UsernamePasswordAuthToken and set it into SecurityContextHolder.
After another review, I noticed, that I missed important note in Rajeev Singh's tutorial on callicoder
Note that, the database hit in the above filter is optional. You could
also encode the user’s username and roles inside JWT claims and create
the UserDetails object by parsing those claims from the JWT. That
would avoid the database hit.
However, Loading the current details of the user from the database
might still be helpful. For example, you might wanna disallow login
with this JWT if the user’s role has changed, or the user has updated
his password after the creation of this JWT.

OpenIdConnect: how to add additional claims in the token?

I'm quite new to OpenIdConnect so excuse me if i still miss some basic concept.
I have a SPA-style web application I'm developing for my company (AspNet Core + Aurelia).
I want to use AzureAD via OpenIdConnect for authentication and authorization, everything works very well so far i'm able to obrain a token and sign in.
the problem is that my application needs to provide to the client's browser some app-specific claims like: can read X, can edit Y...
if i add these claims to the JWT token provided by AzureAD obviously it will became invalid, as the signature will not match the content.
if i generate a new token with the new claims, but signed with the app key, obviously it will be a different token valid only in the context of my app (what if I'll later need to access some other resource using the AzureAD token?, is it a good idea to insert the AzureID token as claim of the newly issued token?)
Are there something I'm missing in the OpenConnectId? or is there a way to add claims to a token issued by a 3rd-party provider like AzureAD while keeping the token valid? Maybe a way to ask AzureAd to add claims to the token and re-sign it?
I think a good way to solve this situation may be to obtain an access_token for my own application's api (from my app backend) in exchange of the id_token provided by azure (after its validation)
so the application frontend in the browser will own two tokens and it will be able to use the correct one for each type of request.
there are some standardized flow that are quite similar to this but not exactly the same.
You could try to use a custom claim mapping policy. This is documented here.
This feature is used by tenant admins to customize the claims emitted in tokens for a specific application in their tenant.
As far as I can understand, this is still in preview stage. So it may require some trial and error verification.
Alternatively, you can define some policy in your application itself. Given that you know client IDs from your application (hence you require to use them for OpenID Connect requests), you may create a simple policy to check tokens and perform verifications.