Auth0-ci

Super simple CI scripts for Auth0


Keywords
auth0, ci, deploy
License
Other
Install
pip install Auth0-ci==1.0.5

Documentation

ci authzero-utils

Various scripts utilizing authzerolib to do things such as sync'ing authzero login page, rules, clients, settings, etc. Useful to run in your CI!

Usage

Credentials & Scopes

Prerequisites

  • Create a non-interactive (machine to machine) client (application) in your Auth0 deployment by going to the Applications section of the Auth0 UI
  • Authorize that Auth0 application so access the Management API by going to the APIs section of the Auth0 UI, selecting your application
    • The required scopes depend on the script, though they all follow these general rules:
      • do not require scopes allowing access to secrets if possible (passwords, keys, etc.)
      • require the minimum set of scopes possible
    • Here is a set of scopes you would need to grant for running most scripts present in this repository:
      • read:clients
      • update:clients
      • delete:clients
      • create:clients
      • read:rules
      • update:rules
      • delete:rules
      • create:rules

In Mozilla's Auth0 accounts use the existing Auth0 CI Updater client client which has already been created and granted the correct scopes.

Credentials

You can either pass the URI, CLIENTID and CLIENTSECRET as arguments on the command line or store them in credentials.json in the current working directory.

The syntax of credentials.json is

{
  "uri": "auth-dev.mozilla.auth0.com",
  "client_id": "AAA",
  "client_secret": "BBB"
}

Once these credentials are stored you need not pass them on the command line and can instead instantiate the tools like this

./uploader_rules.py -r rules

Scripts

uploader_login_page.py

SCOPES: update:clients

usage: uploader_login_page.py [-h] [-u URI] -c CLIENTID -s CLIENTSECRET
                              [--default-client DEFAULT_CLIENT] --login-page
                              LOGIN_PAGE

Example: ./uploader_login_page.py -u auth-dev.mozilla.auth0.com -c AAA -s BBB --default-client CCC --login-page some.html

Note that CCC above represents a special Auth0 "default" client. You can find this client_id by going to the "hosted page" setup in Auth0 and looking at your web-browser dev tools network tab. Click "preview page" and look for the client_id used in the requests.

uploader_rules.py

SCOPES: read:rules, update:rules, delete:rules, create:rules

usage: uploader_rules.py [-h] [-u URI] -c CLIENTID -s CLIENTSECRET
                         [-r RULES_DIR]

Example: ./uploader_rules.py -u auth-dev.mozilla.auth0.com -c AAA -s BBB -r rules

Where the rules directory contains JSON and JS documents such as these:

AccessRules.json:

{
    "enabled": true,
    "order": 1
}

AccessRules.js:

function (user, context, callback) {
  ...code here...
  return callback(null, null, context);
}

Note that this is the Auth0 GitHub extension rule format.

uploader_clients.py

SCOPES: read:clients, update:clients, delete:clients, create:clients

usage: uploader_clients.py [-h] [-u URI] -c CLIENTID -s CLIENTSECRET
                           [-r CLIENTS_DIR] [-g]
uploader_clients.py: error: the following arguments are required: -c/--clientid, -s/--clientsecret

Example: ./uploader_clients.py -u auth-dev.mozilla.auth0.com -c AAA -s BBB -r clients

Where the clients directory contains JSON formated Auth0 client descriptions. You can get all current clients from your Auth0 deployment to provision the initial setup with:

Example: ./uploader_clients.py -u auth-dev.mozilla.auth0.com -c AAA -s BBB -r clients -g

A client JSON file looks such as this:

1gBNrcIdcyuus3S8DdK7O9A5iFrAdTmj.json <= the file name is the client_id

{
    "tenant": "auth-dev",
    "global": false,
    "is_token_endpoint_ip_header_trusted": false,
    "name": "cis_hris_publisher",
    "is_first_party": true,
    "sso_disabled": false,
    "cross_origin_auth": false,
    "oidc_conformant": false,
    "client_id": "1gBNrcIdcyuus3S8DdK7O9A5iFrAdTmj",
    "callback_url_template": false,
    "jwt_configuration": {
        "lifetime_in_seconds": 36000,
        "secret_encoded": false
    },
    "app_type": "non_interactive",
    "grant_types": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "client_credentials"
    ],
    "custom_login_page_on": true
}