How Auth0 Uses Identity Industry Standards

When computers were mostly standalone systems, authentication (checking people are who they say they are) and authorization (allowing them access to specific information) codes, along with databases containing user information, were self-contained on the device. Even in the early days of the web, sites would handle security independently, using custom and proprietary code.

Fast-forward to today and you can use the same login information across multiple apps and sites, either social logins or your custom enterprise login information for work. This is due to identity industry standards being widely employed across the web.

Identity industry standards are open specifications and protocols providing explicit guidance on how to design authentication and authorization systems to manage identity, move personal data securely, and decide who can access applications and data, so multiple parties can achieve interoperability easily.

• Trust & Security
  • Using authentication standards increases security and lowers risk as the end-user only has to be identified and authenticated once by an identity provider, and then that identity information can be used across multiple systems. Authorization standards can increase privacy compliance as the amount of information shared can be easily controlled.
• Performance & Costs
  • Standards means your apps aren’t dependent on custom backend authentication code or on an internally hosted user database. An application can be developed internally and deployed externally without worrying about its connection to the original backend code and server. Use of identity standards can reduce cost by eliminating the need to scale one-off or proprietary solutions, and stronger authentication and authorization methods can be automatically updated without having to update significant amounts of code.
• Customer Satisfaction
  • End-user experience is drastically improved as new accounts don’t have to be registered for each new application and they know that their data is safely stored with the original identity provider. They can also use fewer, stronger passwords and login information throughout their accounts.

The following are the Identity Industry Standards used by Auth0.

• OAuth 1—In the original standard, shared secrets between a server and the end-user were used to calculate signatures that were then used verify the authenticity of API requests. However, implementing signatures was difficult and the upgrade to OAuth 2 removes the need for signatures and instead relies on SSL.
• OAuth 2—An authorization standard that provides secure access to resources of the end-user. It specifies a process allowing third-party access to resources, but without the end-user having to share their credentials. This is commonly used to log into applications using Google, Twitter, and Facebook accounts.
• Consumer-Oriented Authentication Standards
  • Open ID Connect—an identity layer that sits on top of OAuth 2 and allows for easy verification of the identity of the user, as well the ability to obtain basic profile information from the identity provider.
    To ensure that Auth0’s implementation is conformant we got OpenID certified.
  • JSON Web Tokens—an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. They can be used to pass the identity of authenticated users between the identity provider and the service requesting the authentication. They can be authenticated and encrypted.
• Enterprise Authentication Standards
  • Security Assertion Markup Language (SAML)—an open-standard, XML-based data format that allows businesses to communicate user authentication and authorization information to partner companies and enterprise applications their employees may use. SAML allows for platform neutrality, reduced costs, and risk transference of identity management.
  • WS-Federation—Developed by Microsoft and used extensively in their applications, this standard defines the way security tokens can be transported between different entities to exchange identity and authorization information.

All of these standards are available in Auth0, and implementation requires little to no recoding as you move between different protocols or identity providers.

The easiest way to get started with standards is to implement the Open ID Connect / OAuth 2 login protocol, using JWT as the access token. This will allow your users or employees to login in easily with any social identity provider.

There are 6 steps to implementing this with Auth0:

1. Setting up the callback URL in Auth0. To do this, add the information in the “Application Settings” page on the dashboard:

   http://www.yoursite.com/callback

2. Integrate Auth0Lock

   <script src='https://cdn2.auth0.com/js/lock-8.2.min.js'></script>
   <script type='text/javascript'>
       var lock = new Auth0Lock('4CvZhjoDtdwciSPYLaby6EdJA6eBBRsi', 'username.auth0.com');
       function signin() {
           lock.show({
               callbackURL: 'http://www.yoursite.com/callback',
               responseType: 'code',
               authParams: {
                   scope: 'openid profile'
               }
           });
        }
   </script>
   <button onclick='window.signin();'>Login</button>

3. After the user authenticates, your app will be called to this endpoint with a GET

   GET http://www.yoursite.com/callback?code=AUTHORIZATION_CODE&state=VALUE_THAT_SURVIVES_REDIRECTS

4. Your app will have to send the code to the Auth0 server through a POST

   POST https://username.auth0.com/oauth/token
   Content-type: application/x-www-form-urlencoded
   client_id=4CvZhjoDtdwciSPYLaby6EdJA6eBBRsi
   &redirect_uri=http://www.yoursite.com/callback
   &client_secret=4DxvHUwrabq6EQNe061PoFDeC5Ic5DamI2Eropuz-MLvi730WJijwZT6Zd6EM_nK
   &code=AUTHORIZATION_CODE
   &grant_type=authorization_code

5. The response of the server will look like this

   { 'access_token':'2YotnF..........1zCsicMWpAA', 'id_token': '......Json Web Token......', 'token_type': 'bearer' }

6. Finally, you can get the user profile by calling

   GET https://username.auth0.com/userinfo/?access_token=2YotnF..........1zCsicMWpAA

This will authenticate your users with their Open ID Connect identity provider, and pass back their normalized user profile for your application.

Implementing enterprise SSO is one of the easiest ways to take your SaaS upmarket and grow your revenue. Enabling enterprise clients to allow their employees to login to your application with their company details is likely a necessity for a potential enterprise customer to choose your SaaS.

Implementing SAML authentication in Auth0 is as easy as adding a few lines of code and adding your SAML identity provider information into the dashboard. The information you’ll need is:

• SSO Sign In URL
• SSO Sign Out URL
• X509 Signing Certificate

This information can be added on the “SAML” configuration page under “Enterprise Connections”:

To use with Lock, you can add a few lines of code to redirect the Login and Logout functions to your SAML identity provider using an Express implementation, and including passport.js:

var express = require('express'); 
var router = express.Router(); 
var passport = require('passport');  
  
/* GET users listing. */  
router.get('/', function(req, res, next) {  
    res.send(req.user); 
});  
  
router.get('/authenticate', 
    passport.authenticate('auth0', { 
        failureRedirect: '/error'  
    }), 
    function(req, res) { 
        if (!req.user) { 
            throw new Error('user null');  
        } 
        res.redirect('/'); 
    });  
  
router.get('/logout', function(req, res) {  
    req.logout(); 
    res.redirect('/'); 
}) 
 
module.exports = router;

You can learn more about this implementation by watching our video on switching to SAML.