Add native support for Auth0

Created on 14 December 2022, about 2 years ago
Updated 14 July 2024, 5 months ago

Auth0 is another OpenID Connect SSO service / IDP, just like Okta. (In fact, Okta bought Auth0 recently.) The Generic plugin gets us most of the way there, but not 100% because Auth0 is doing something off-spec. So let's add native support for Auth0 here.

Remaining tasks

  1. Add a general config checkbox (not specifically for the Auth0 config): Hide login method on login form, and just say "Login" if there's only one login method? This provides a better UX if users don't need to know or care about the method.

Original report

https://www.drupal.org/project/openid_connect/issues/3327237 Add native support for Auth0 Needs review

I have a few questions that are all somewhat related. I've been working with Auth0 through this module, and though the 1.2 version of this module and the "generic" client were enough to login, we needed the role mapping that was available in the now unsupported auth0 module. I also needed a way to override the button text for the block.

I created a sandbox project to add that functionality in https://www.drupal.org/sandbox/asherry/3327222

My questions are:

  1. Is it even in line with the vision of this module to have modules that extend it?
  2. When you place the OpenID connect block and it says "Login with [provider]", is it of any value to be able to override this? This module I'm creating does, but, if it's something that might be useful for any provider I could put together a patch for the core module instead.
Feature request
Status

RTBC

Version

3.0

Component

Code

Created by

🇺🇸United States asherry

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Assigned to colan
  • Status changed to Needs review almost 2 years ago
  • Status changed to Active almost 2 years ago
  • Status changed to Needs review almost 2 years ago
  • 🇨🇦Canada colan Toronto 🇨🇦

    Everything that I know needs to get done is now done so feel free to review & test. I'm going to start testing it myself now.

  • Status changed to Needs work almost 2 years ago
  • 🇵🇹Portugal jcnventura

    Please take care of the problem described in 🐛 Auth0 users can log in without e-mail verification even when it's required Closed: duplicate in this issue.

  • Status changed to Needs review almost 2 years ago
  • 🇨🇦Canada colan Toronto 🇨🇦

    Fair enough if you think that's an Auth0 thing, but can we handle these separately? Do this one first, and the other as a follow-up? I'd like to get this one in, and probably won't be working on the other one due to time constraints (and the workaround).

  • 🇨🇦Canada colan Toronto 🇨🇦

    The first commit above is necessary because until now, the error description just goes in the log and users don't see it. However, what can get returned is:

    Please verify your email before logging in.

    Also, I hate it when I get a message saying that there's an error without telling me what the error is. This fixes that problem.

    From a security perspective, I don't believe we're leaking anything problematic here; it's just the reason the login is failing, which users have a right to know. And security through obscurity doesn't work anyway.

    The second commit adds docs to the Auth0 form, telling admins how to configure their Auth0 accounts to enforce e-mail verification. (It's actually trivial, and I don't think it's worth figuring out how to handle this on the Drupal side, especially if it's just for this one IDP so I'm just handling it in this issue.)

  • 🇨🇦Canada colan Toronto 🇨🇦

    Anyone know what's going on with that CI error? Testbot isn't running.

  • 🇨🇦Canada colan Toronto 🇨🇦

    This is now good to go as I believe I've tested the basic scenarios, and everything seems to be fine. Please review the code and test yourself!

    I did, however, run into 🐛 Cannot enforce IDP-only account creation Needs work , but I don't believe that's specific to this plugin (so that's why I created a separate issue).

  • 🇨🇦Canada colan Toronto 🇨🇦

    Here's the MR as a patch for Composer.

  • 🇨🇦Canada colan Toronto 🇨🇦
  • 🇨🇦Canada colan Toronto 🇨🇦

    Lastest MR as a patch for Composer.

    Edit: Don't review the code here as it's the multiple-patch file from Gitlab; it'd be confusing. Look at the MR instead.

  • Status changed to RTBC 11 months ago
  • 🇮🇹Italy bigbabert Milano, Italy

    Hi,
    I've tested latest patch and work good!
    there is a way to anonymize username and email stored in Drupal from auth0?
    Thanks for the support

  • 🇵🇹Portugal jcnventura

    Anonymizing the username and email are a bit out of scope of the module.. The objective here is to allow an external ID provider to "vouch" for a user that is then created in Drupal. That Drupal user should have at least a real e-mail so that any functionality depending on that from Drupal's side can still work.

    You are of course free to create a patch to anonymize that data in your own site by hacking into the relevant lines in this plugin, but you'll have to maintain that site-specific modification on your own.

    In any case, thanks for finally marking this as "Reviewed & tested by the community"

  • 🇺🇸United States John Franklin

    Is there a more generic way we could implement the logout query override so the plugins are returning the URL or maybe just the query parameters rather than implementing a non-standard hook_alter? We already have OpenIDConnectClientBase::getRedirectUrl() At first I thought a getRedirectLogoutUrl() would work, but the URL requires the path from the main openid_connect settings, which feels inappropriate to read from inside a plugin. Maybe OpenIDConnectClientBase::getLogoutUrlOptions() similar to OpenIDConnectClientBase::getUrlOptions()?

    Noting here: Login_gov also needs to fix up the logout redirect parameters in a very similar way. 🐛 Handle logout URL Active depends on the alterLogoutRedirectionQuery(). I'm going to hold off merging the login_gov MR until this one is finalized.

Production build 0.71.5 2024