Ali Baba and the Forty Thieves is a famous tale from One Thousand and One Nights (Arabian Nights). Ali Baba, a poor woodcutter, accidentally discovers a hidden cave belonging to a group of thieves. He overhears their leader say the magic words, “Open, Simsim!” (or “Open Sesame!”), to reveal a treasure-filled cavern. After the thieves leave, Ali Baba enters, takes some treasure, and returns home.
The story originates from the medieval Arabic One Thousand and One Nights, though it was likely added by the French translator Antoine Galland in the 18th century. It reflects Middle Eastern oral storytelling traditions, emphasizing themes of fate, cleverness, and moral justice. The tale has endured as a classic of folklore, influencing literature, films, and popular culture worldwide.
This project demonstrates authenticating against Okta (auth0.com) using their free developer accounts.
The Angular SPA (ui/ng-ui) has both protected and unprotected routes, and will redirect to auth0.com login page. Once a JWT is obtained, it will use that for calling protected services (services/*).
The services (Spring or Quarkus) serve an unprotected endpoint (/public), mainly to deliver application configuring to the client ui app. Other resources (/api) are protected, and use the configured Auth0 Client Domain as the issuer URI for validating the JWT token.
A few notes about OIDC.
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture.
Standard claims included in the most commonly-used scopes are listed below, but for a full list of available standard claims, read OIDC specification: Standard Claims on openid.net. For a full list of Scopes, see OIDC specification: Requesting Claims Using Scope Values on openid.net.
Standard Claims:
| Scope | Claims |
|---|---|
openid |
(required) Returns the sub claim, which uniquely identifies the user. In an ID Token, iss, aud, exp, iat, and at_hash claims will also be present. To learn more about the ID Token claims, read ID Token Structure. |
profile |
Returns claims that represent basic profile information, including name, family_name, given_name, middle_name, nickname, picture, and updated_at. |
email |
Returns the email claim, which contains the user's email address, and email_verified, which is a boolean indicating whether the email address was verified by the user. |
More reading:
- Spring Boot API: Using Your API
- Sample Use Cases: Actions with Authorization
- Auth0 - Getting Started
- OpenID Connect (OIDC) scopes
- Add Login to Your Angular Application
- Angular Authentication By Example
- Single-Page Applications (SPA) with API
Head over to okta.com/auth0.com and create a developer account.
Expand to view Auth0/Okta application setup
Once in your dashboard, create a new appliatiom for "single-page applications."
Applications->Applications->Create Application
- Name:
Ali Baba's Secret Treasure
Read more from Auth0's Documentation
[!WARNING]
When using the Default App with a Native or Single Page Application, ensure to update the Token Endpoint Authentication Method to None and set the Application Type to either SPA or Native.
- Allowed Callback URLs:
http://localhost:4200 - Allowed Logout URLs:
http://localhost:4200 - Allowed Allowed Web Origins:
http://localhost:4200
Make note of the following information, which you'll need to configure the services and Angular applications.
- Domain
- Client ID
Applications->API->Create API
- Name:
ali-baba - Identifier:
http://localhost:4200/api
Add the following permissions:
see:thieves-treasuresee:alibaba-treasuretake:thieves-treasure
Make note of the Identifier/audience.
User Management->Roles->Create Role
- Name:
treasure-hunter
Add API permissions to roles:
User Management->Users->Create User
Assign User Roles:
View inherited permissions:
A login trigger is needed to modify the tokens to include the user roles, otherwise the tokens will only contain permissions. Read more about adding roles in Auth0's documentation Add user roles to tokens.
Actions->Trigger->post-login
Add Action, choose Build from scratch:
Create Trigger Action:
- Name:
Add Roles To Tokens - Trigger:
Login / Post Login - Runtime: Recommended Node version
Past the following code, but that the namespace with whatever you want:
exports.onExecutePostLogin = async (event, api) => {
const namespace = 'your-namespace.example.com'; // Can be anything
if (event.authorization) {
api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
}
}
After you save, the action wil appear to right of the Post Login trigger pipeline. Drag-and-drop it to the pipeline:
Save changes.
Rename ./scripts/auth0-config-sample.sh to ./scripts/auth0-config.sh and set the configurations used/generated with the Auth0 configuration:
AUTH0_DOMAIN="client-domain"
AUTH0_EMAIL="[email protected]"
AUTH0_PASSWORD="yourpassword"
AUTH0_AUDIENCE="identifier (audience)"
AUTH0_CLIENT_ID="client-id"Following instructions at ./services/spring-boot-ali-babas-secret/README.md