Authentication
Authentication is handled by Auth0 cloud service. The free plan is more than enough for most scenarios and Requarks doesn't require any features specific to paid plans. We believe this is the most secure and flexible option.
Why Auth0?
Nowadays, most users want to login using their existing credentials provided by social services, such as Google, Microsoft, Facebook, etc., while companies want to use their AD / LDAP logins. Implementing all these services can be tedious and complex, especially when it comes to maintaining them over time. Auth0 integrates most social, enterprise and local database connectors.
Also, for something as critical as security, it makes more sense to leave authentication to a well-known third-party which has security experts and implements the most secure and modern standards. Applications where the authentication process is handled internally usually lack on this point and quickly become vulnerable to security risks if not patched quickly.
Finally, we wanted a service that was free to use. While companies may go toward paid plans for enterprise-level features, the majority of users won't need it.
We may implement a local authentication option in the future, but isn't planned for now.
Configuration
1. Create a new application
- If not done already, create an Auth0 account. The free plan is sufficient for most scenarios.
- From the Auth0 dashboard, click on Applications and create a new application (e.g. Requarks).
- Once the application is created, go to the Settings tab. Make note of the Domain, Client ID and Client Secret, we'll need them later.
- In the Allowed Callback URLs field, enter the full URL of the application followed by /auth_callback (e.g. http://my.domain.com/auth_callback ).
- In the Allowed Logout URLs field, enter the full URL of the application (e.g. http://my.domain.com/ )
- Save changes.
2. Configure connections
- From the Auth0 dashboard, click on Connections > Database and create a new DB connection.
- Make sure the Disable Sign Ups option is active. Unless you have a sign-up workflow configured and proper security in place for new registrations, leaving this option off means anyone can register and use Requarks!
- Enable the application you created earlier to use this connection by activating the toggle under the Application Using this Connection section.
- Optional - Add and configure additional social / enterprise connections as needed. The email address attribute is required.
Use of an existing database
You can use an existing database, used by other applications. However, make sure your other applications do not conflict with, or modify user/app metadata managed by Requarks. Doing so can result in strange behaviors or a broken installation.
3. Administrator account
You can either create a new account in the database connection you created earlier or choose to login using a social / enterprise connection to use as the administrator account:
- DB: From the Auth0 dashboard, click on Users and create a new User. Fill in the details and use the database connection you created earlier.
- Social / Enterprise: From the Auth0 dashboard, click on Connections > Social / Enterprise. Click on the Try button next to the connection you wish to use. You will be prompted to authorize the application you just created to login with your social / enterprise connection. Once logged in, the account will be added to the list of users.
Once the user is created / added, navigate to Users. Click on the newly added user, and under the Identity Provider Attributes section, make note of the user_id value, we'll need it later.
4. Create API Token
Browse to Auth0 API Explorer. From the top left section, add the following scopes:
- users > read (read:users)
- users > update (update:users)
- users > delete (delete:users)
- users > create (create:users)
- users_app_metadata > read (read:users_app_metadata)
- users_app_metadata > update (update:users_app_metadata)
- users_app_metadata > delete (delete:users_app_metadata)
- users_app_metadata > create (create:users_app_metadata)
- user_tickets > create (create:user_tickets)
- connections > read (read:connections)
- stats > read (read:stats)
Make note of the token generated (just below Token Generator), we'll need it later.
5. Requarks Setup
You now have all the the required info for Auth0 to enter during Requarks setup.
Updated less than a minute ago