auth0

Table of Contents

1. Description
2. Setup - The basics of getting started with auth0
3. Usage - Managing Auth0
4. Usage - Querying Auth0
5. Limitations - OS compatibility, etc.
6. License and Authorship
7. Development - Guide for contributing to the module

Description

This module allows you to use Puppet to manage your Auth0 entities. It also provides the ability to query Auth0 and retrieve credentials for use in Machine-to-Machine authentication flows (which you can then write to an application configuration file).

Setup

In order for Puppet to access Auth0, you will need to create a Machine-to-Machine Application (aka a non_interactive client) inside Auth0, and grant that client access to the Auth0 Management API. See Machine-to-Machine Applications for details. The scopes used by each resource type and function are documented in REFERENCE.md.

This module treats each Auth0 tenant as a remote 'device', and uses the puppet device pattern for managing Auth0 resources. See the Puppet Device Documentation for details. The easiest way to get started is to use the puppetlabs-device_manager module, like so:

device_manager { 'my-tenant.auth0.com':
  type        => 'auth0_tenant',
  credentials => {
    client_id     => $management_client_id,
    client_secret => $management_client_secret,
    domain        => 'my-tenant.auth0.com',
  },
}

The proxy node that is running puppet device will need to have the auth0 gem installed. The easiest way to set this up is to use the puppet_gem provider for the package resource type:

package { 'auth0':
  ensure   => '4.11.0',
  provider => 'puppet_gem',
}

To use the auth0_get_client_credentials function you will also need the auth0 gem installed on the Puppet Server. The easiest way to set this up is with the puppetlabs-puppetserver_gem module:

package { 'auth0':
  ensure   => present,
  provider => 'puppetserver_gem',
}

If you are using this module with Puppet 5, you will need to have access to the puppet-resource_api gem on both your server and agents. You can either do this via package resources with the puppet_gem and puppetserver_gem types as above, or use the puppetlabs-resource_api module to do it for you.

Usage - Managing Auth0

These resource types can be used in a Device context to manage resources via the Auth0 Management API

Creating a Client (Application)

auth0_client { 'example_application':
  display_name    => 'Example Application',
  description     => 'An example application to show how to use the auth0 Puppet module.',
  app_type        => 'non_interactive',
  callbacks       => ['https://app.example.com/callback'],
  allowed_origins => ['https://app.example.com'],
  web_origins     => ['https://app.example.com'],
}

For Clients, the resource title will be stored in the client_metadata as puppet_resource_identifier.

If you pass keep_extra_callbacks => true, then callbacks defined in Auth0 but not in Puppet will be retained; otherwise they will be removed. This is useful for dev/test tenants in which individual developers may add callbacks on localhost through the dashboard. keep_extra_allowed_origins, keep_extra_web_origins and keep_extra_logout_urls function similarly.

Creating a Resource Server (API)

auth0_resource_server { 'https://api.example.com':
  display_name => "Example API",
  signing_alg  => "RS256",
  scopes       => {
    'read:thingies'  => 'Get information about Thingies',
    'write:thingies' => 'Create, update and destroy Thingies',
    'read:doodads'   => 'Get information about Doodads',
  },
}

Grant a Client access to a Resource Server with a Client Grant:

auth0_client_grant { 'Give Example Application access to Example API':
  client_resource => 'example_application',
  audience        => 'https://api.example.com':,
  scopes          => [
    'read:thingies',
  ],
}

# Equivalent to above
auth0_client_grant { 'example_application -> https://api.example.com':
  scopes => [
    'read:thingies',
  ],
}

Define a Rule

auth0_rule { 'Example Rule':
  script => file('profile/auth0/example_rule.js'),
}

Assign a Connection to Clients

auth0_connection { 'ExampleConnection':
  clients  => [
    'example_application',
    'another_application',
  ],
  options  => {
    brute_force_protection => true,
    mfa                    => {
      active                 => true,
      return_enroll_settings => true,
    },
  },
  strategy => 'auth0',
}

If you pass keep_extra_clients => true, then clients assigned to that connection in Auth0 but not in Puppet will be retained; otherwise they will be removed. keep_extra_options behaves similarly. However, in either case these only have an effect if you specify a value for the clients or options attributes, respectively; omitting those attributes entirely will leave them untouched.

keep_extra_options performs a non-recursive merge between the options stored in Auth0 and the options you specify; nested hashes such as the mfa hash in the example above will be overwritten even with keep_extra_options, if you provide a value for them.

Usage - Querying Auth0

The auth0_get_client_credentials auth0_get_client_credentials_by_name functions can be used in an Agent or Apply context to retrieve information from Auth0 when configuring your own servers and applications.

auth0_get_client_credentials looks up clients by their puppet_resource_identifier, whereas auth0_get_client_credentials_by_name looks them up by display name.

Retrieve client credentials for a Machine-to-Machine application

With Management API credentials stored in Hiera

auth0::management_client_id: 'abcdef12345678'
auth0::management_client_secret: 'abcedfg12313fgasdt235gargq345qrg4423425413543254535'
auth0::tenant_domain: 'example.auth0.com'

$credentials = auth0_get_client_credentials('example_application')
file { '/etc/example.conf':
  ensure  => present,
  content => epp('profile/example/example.conf.epp', {
    client_id     => $credentials['client_id'],
    client_secret => $credentials['client_secret'],
  }),
}

With Management API credentials provided explicitly

$credentials = auth0_get_client_credentials(
  'example_application',
  'abcdef12345678',
  'abcedfg12313fgasdt235gargq345qrg4423425413543254535',
  'example.auth0.com',
)
file { '/etc/example.conf':
  ensure  => present,
  content => epp('profile/example/example.conf.epp', {
    client_id     => $credentials['client_id'],
    client_secret => $credentials['client_secret'],
  }),
}

Limitations

Resource Names

In order for Puppet to operate, every resource needs an identifier which meets two criteria:

1. It uniquely identifies a specific resource, consistently over time.
2. It can be specified by the sysadmin when creating the resource.

Most Auth0 resource types have a unique identifier which fails the second criterion: for example, the unique identifier for an Auth0 Client resource should be its client_id, but you can't specify the client_id when creating a resource, so it can't be used as a namevar in Puppet (and even if you could, you wouldn't really want to).

In order to work around this for clients we look for a field named puppet_resource_identifier in the client's client_metadata hash, and use that as the namevar. This attribute should be treated as unique and immutable, even if auth0 doesn't force you to.

Rules don't have anything analogous to client_metadata, so we're stuck using the rule's "Display Name" as a namevar. Again, because of this you should treat Rule names as unique and immutable identifiers, even though Auth0 doesn't require you to.

auth0_resource_server resources don't have this problem, since the identifier (aka 'Audience') attribute of a Resource Server is an immutable identifier that can be specified when creating the resource.

Rate Limiting

The ruby-auth0 gem (on which this module is built) doesn't expose enough information during rate-limiting to try dynamically wait out the issue. If rate-limiting is encountered during the puppet run, then further resources which make use of the same API endpoints will fail. This module does do some caching to limit the number of API requests.

Missing Features

Not all aspects of your Auth0 configuration can be managed via their API, not all resource types that can be managed by the API are implemented by this module yet, and not all properties of the implemented resource types are supported yet. Specifically, the following properties are not yet supported by this module:

• from the Clients API:
  • allowed_clients
  • jwt_configuration.scopes
  • encryption_key
  • cross_origin_auth
  • cross_origin_loc
  • custom_login_page_on
  • custom_login_page
  • custom_login_page_preview
  • form_template
  • is_heroku_app
  • addons
  • client_metadata (except for the puppet_resource_identifier)
  • mobile
• from the ResourceServers API:
  • verificationLocation
  • options

License and Authorship

This module was authored by Adam Gardner, and is Copyright (c) 2019 Magic Memories (USA) LLC.

It is distributed under the terms of the Apache-2.0 license; see the LICENSE file for details.

Development

If you run into any problems, open an issue or fork and open a Pull Request.

To be able to run the spec suite during development, first install the necessary dependencies:

bundle install

Then, run the spec suite:

bundle exec rake spec

Reference

Table of Contents

Resource types

• auth0_client: This type provides Puppet with the capabilities to manage Auth0 Client (Application) resources. Note that this resource type makes use of th
• auth0_client_grant: This type provides Puppet with the capabilities to manage client grants. Note that this resource type makes use of the following scopes from
• auth0_connection: This type provides Puppet with the capabilities to manage Auth0 Connections. Note that this resource type makes use of the following scopes
• auth0_resource_server: This type provides Puppet with the capabilities to manage Auth0 Resource Servers (APIs). Note that this resource type makes use of the follo
• auth0_rule: This type provides Puppet with the capabilities to manage Auth0 Rules. Note that this resource type makes use of the following scopes from t

Functions

• auth0_get_client_credentials: Retrieves Client (Application) credentials from the Auth0 Management API.
• auth0_get_client_credentials_by_name: Retrieves Client (Application) credentials from the Auth0 Management API by name.

Resource types

auth0_client

This type provides Puppet with the capabilities to manage Auth0 Client (Application) resources.

Note that this resource type makes use of the following scopes from the Auth0 Management API:

• read:clients
• create:clients
• delete:clients
• update:clients

Properties

The following properties are available in the auth0_client type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

puppet_resource_identifier

Data type: String[0,255]

A unique identifier for this client; stored in the client_metadata hash under the key "puppet_resource_identifier".

display_name

Data type: Pattern[/^[^<>]+$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The name of the client (Application). Does not allow "<" or ">".

description

Data type: Optional[String[0,140]]

Free text description of the purpose of this client.

logo_uri

Data type: Optional[String]

The URL of the client logo (recommended size: 150x150).

callbacks

Data type: Optional[Array[String]]

A set of URLs that are valid to call back from Auth0 when authenticating users. To remove all callbacks you must specify an empty array; leaving this undefined will leave existing callbacks untouched.

keep_extra_callbacks

Data type: Boolean

If true, callbacks set in Auth0 but not in puppet will be left in place.

allowed_origins

Data type: Optional[Array[String]]

A set of URLs that represent valid origins for CORS.

keep_extra_allowed_origins

Data type: Boolean

If true, allowed_origins set in Auth0 but not in puppet will be left in place.

web_origins

Data type: Optional[Array[String]]

A set of URLs that represents valid web origins for use with web message response mode.

keep_extra_web_origins

Data type: Boolean

If true, web_origins set in Auth0 but not in puppet will be left in place.

client_aliases

Data type: Optional[Array[String]]

List of audiences for SAML protocol.

allowed_logout_urls

Data type: Optional[Array[String]]

A set of URLs that are valid to redirect to after logout from Auth0

keep_extra_allowed_logout_urls

Data type: Boolean

If true, allowed_logout_urls set in Auth0 but not in puppet will be left in place.

grant_types

Data type: Optional[Array[String]]

A set of grant types that the client is authorized to use

token_endpoint_auth_method

Data type: Optional[Enum['none','client_secret_post','client_secret_basic']]

Defines the requested authentication methods for the token endpoint.

app_type

Data type: Optional[String]

The type of application this client represents. Common values include "native", "spa" (single-page-application), "non_interactive" (Machine-to-Machine) and "regular_web".

oidc_conformant

Data type: Optional[Boolean]

Whether this client will conform to string OIDC specifications.

jwt_lifetime_in_seconds

Data type: Optional[Integer]

The amount of time (in seconds) that the token will be valid after being issued.

jwt_alg

Data type: Optional[Enum['HS256','RS256']]

The algorithm used to sign the JsonWebToken

sso

Data type: Optional[Boolean]

Whether to use Auth0 instead of the IdP to do single sign on.

sso_disabled

Data type: Optional[Boolean]

Whether to disable Single Sign On

client_id

Data type: String

Auth0 server-side unique identifier for Client.

auth0_client_grant

This type provides Puppet with the capabilities to manage client grants.

Note that this resource type makes use of the following scopes from the Auth0 Management API:

• read:client_grants
• create:client_grants
• delete:client_grants
• update:client_grants
• read:clients

Properties

The following properties are available in the auth0_client_grant type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

audience

Data type: String

The audience (identifier) of the resource server providing the grant.

scopes

Data type: Array[String]

The scopes being granted to the client application.

Default value: []

client_id

Data type: String

Auth0 server-side unique identifier for Client.

Parameters

The following parameters are available in the auth0_client_grant type.

client_resource

namevar

Data type: String

The puppet_resource_identifier of the client application receiving the grant.

auth0_connection

This type provides Puppet with the capabilities to manage Auth0 Connections.

Note that this resource type makes use of the following scopes from the Auth0 Management API:

• read:connections
• create:connections
• delete:connections
• update:connections
• read:clients

Properties

The following properties are available in the auth0_connection type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

strategy

Data type: String

The type of the connection, related to the identity provider; common values include "ad" (Active Directory), "auth0" (Username-Password DB stored by Auth0), "google-oauth2", etc.

options

Data type: Optional[Hash]

A hash of options used to configure the Connection; structure of the hash depends on the selected Strategy.

clients

Data type: Optional[Array[String]]

A list of client resource identifiers for which this connection is enabled.

realms

Data type: Optional[Array[String]]

Defines the realms for which the connection will be used (ie: email domains). If the array is empty or the property is not specified, the connection name will be added as realm.

Parameters

The following parameters are available in the auth0_connection type.

name

namevar

Data type: Pattern[/^([\da-zA-Z]|[\da-zA-Z][\da-zA-Z-]{0,126}[\da-zA-Z])$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The name of the connection. Must start and end with an alphanumeric character and can only contain alphanumeric characters and '-'. Max length 128.

keep_extra_clients

Data type: Boolean

If true, clients enabled for this connection in Auth0 but not in Puppet will be left in place. Only matters is clients property is specified; otherwise clients are always left alone.

keep_extra_options

Data type: Boolean

If true, options stored in Auth0 with no specified value in Puppet will be left as-is. Only matters if options property is specified; otherwise options is always left alone.

auth0_resource_server

This type provides Puppet with the capabilities to manage Auth0 Resource Servers (APIs).

Note that this resource type makes use of the following scopes from the Auth0 Management API:

• read:resource_servers
• create:resource_servers
• delete:resource_servers
• update:resource_servers

Properties

The following properties are available in the auth0_resource_server type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

display_name

Data type: Pattern[/^[^<>]+$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The display name of the resource server.

scopes

Data type: Optional[Hash]

No description given in Auth0 API documentation

signing_alg

Data type: Optional[Enum['HS256','RS256']]

The algorithm used to sign tokens.

signing_secret

Data type: Optional[String]

The secret used to sign tokens when using symmetric algorithms.

allow_offline_access

Data type: Optional[Boolean]

Whether to allow issuance of refresh tokens for this entity.

token_lifetime

Data type: Optional[Integer]

The amount of time (in seconds) that the token will be valid after being issued.

skip_consent

Data type: Optional[Boolean]

Whether this entity allows skipping consent prompt for verifiable first-party clients.

Parameters

The following parameters are available in the auth0_resource_server type.

identifier

namevar

Data type: String

The identifier of the resource server.

auth0_rule

This type provides Puppet with the capabilities to manage Auth0 Rules.

Note that this resource type makes use of the following scopes from the Auth0 Management API:

• read:rules
• create:rules
• delete:rules
• update:rules

Properties

The following properties are available in the auth0_rule type.

ensure

Data type: Enum[present, absent]

Whether this resource should be present or absent on the target system.

Default value: present

script

Data type: String

A script that contains the rule's Javascript code.

order

Data type: Optional[Integer]

The rule's order in relation to other rules. A rule with a lower order than another rule executes first. If no order is provided it will automatically be one greater than the current maximum

run_stage

Data type: Optional[Enum['login_success','login_failure','pre_authorize','user_registration','user_blocked']]

The stage at which the rule will be executed.

Default value: login_success

enabled

Data type: Optional[Boolean]

Whether this rule is enabled

Default value: true

Parameters

The following parameters are available in the auth0_rule type.

name

namevar

Data type: Pattern[/^([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9 -]*[A-Za-z0-9])$/] *this data type contains a regex that may not be accurately reflected in generated documentation

The name of the resource you want to manage.

Functions

auth0_get_client_credentials

Type: Ruby 4.x API

Retrieves Client (Application) credentials from the Auth0 Management API.

• Note This function uses the following scopes from Auth0's Management API:
  • read:clients
  • read:client_keys

auth0_get_client_credentials(String $puppet_resource_identifier, String $management_client_id, String $management_client_secret, String $tenant_domain)

Gets client_id and client_secret for a client specified by its puppet_resource_identifier.

Returns: Optional[Credentials] A Hash with two keys, 'client_id' and 'client_secret', containing the credentials for the requested client. Returns Undef if no client with the requested puppet_resource_identifier could be found.

Examples

Retrieving client credentials.

auth0_get_client_credentials('example_application',$auth0_id,$auth0_secret,'example.auth0.com')

puppet_resource_identifier

Data type: String

The puppet_resource_identifier of the client whose credentials will be retrieved.

management_client_id

Data type: String

The client_id that Puppet should use to access the Auth0 Management API

management_client_secret

Data type: String

The client_secret that Puppet should use to access the Auth0 Management API

tenant_domain

Data type: String

The Auth0 Domain (Tenant) that is being queried.

auth0_get_client_credentials(String $puppet_resource_identifier)

Gets client_id and client_secret for a client specified by its puppet_resource_identifier. Retrieves credentials for the Auth0 Management API from Hiera under the keys 'auth0::management_client_id', 'auth0::management_client_secret' and 'auth0::tenant_domain'.

Returns: Optional[Credentials] A Hash with two keys, 'client_id' and 'client_secret', containing the credentials for the requested client. Returns Undef if no client with the requested puppet_resource_identifier could be found.

Examples

Retrieving client credentials.

auth0_get_client_credentials('Example Application')

puppet_resource_identifier

Data type: String

The name of the client whose credentials will be retrieved

auth0_get_client_credentials_by_name

Type: Ruby 4.x API

Retrieves Client (Application) credentials from the Auth0 Management API by name.

• Note This function uses the following scopes from Auth0's Management API:
  • read:clients
  • read:client_keys

auth0_get_client_credentials_by_name(String $client_name, String $management_client_id, String $management_client_secret, String $tenant_domain)

Gets client_id and client_secret for a client specified by name.

Returns: Optional[Credentials] A Hash with two keys, 'client_id' and 'client_secret', containing the credentials for the requested client. Returns Undef if no client with the requested name could be found.

Examples

Retrieving client credentials.

auth0_get_client_credentials_by_name('Example Application',$auth0_id,$auth0_secret,'example.auth0.com')

client_name

Data type: String

The display name of the client whose credentials will be retrieved

management_client_id

Data type: String

The client_id that Puppet should use to access the Auth0 Management API

management_client_secret

Data type: String

The client_secret that Puppet should use to access the Auth0 Management API

tenant_domain

Data type: String

The Auth0 Domain (Tenant) that is being queried.

auth0_get_client_credentials_by_name(String $client_name)

Gets client_id and client_secret for a client specified by name. Retrieves credentials for the Auth0 Management API from Hiera under the keys 'auth0::management_client_id', 'auth0::management_client_secret' and 'auth0::tenant_domain'.

Returns: Optional[Credentials] A Hash with two keys, 'client_id' and 'client_secret', containing the credentials for the requested client. Returns Undef if no client with the requested name could be found.

Examples

Retrieving client credentials.

auth0_get_client_credentials_by_name('Example Application')

client_name

Data type: String

The name of the client whose credentials will be retrieved

Changelog

All notable changes to this project will be documented in this file.

Release 0.3.5

Bugfix release to fix auth0_get_client_credentials function broken by previous bugfix.

Release 0.3.4

Bugfix release to add missing pagination to requests made for auth0_get_client_credentials function.

Release 0.3.3

Bugfix release to add missing pagination to requests made for auth0_get_client_credentials_by_name function.

Release 0.3.2

Bugfix to allow this to work with both Puppet 5 (Ruby 2.4) and 6 (Ruby 2.5+)

Release 0.3.1

Bugfix Release, fixes patching auth0 clients with JWT token information.

Release 0.3.0

This release adds handling of rate-limit errors and request pagination.

Release 0.2.4

This release improves debug output.

Release 0.2.3

This release adds additional debug output and error handling.

Release 0.2.2

This release adds some missing documentation.

Release 0.2.1

This release adds some missing documentation.

Release 0.2.0

New features:

• Added the ability to manage Auth0 Connections

Release 0.1.3

Bugfix Release

• Ignore the order of scopes in the auth0_client_grant resource.

Release 0.1.2

Bugfix Release

• Don't include the Identifier in the request body when updating a Resource Server.

Release 0.1.1

Bugfix Release

• auth0_client_grant properly outputs a warning rather than raising an exception, when a client has no puppet_resource_identifier.

Release 0.1.0

Initial Release