Module: Auth0::Api::AuthenticationEndpoints

Includes:
ClientAssertion
Defined in:
lib/auth0/api/authentication_endpoints.rb

Overview

https://auth0.com/docs/api/authentication Methods to use the Authentication API

Constant Summary collapse

UP_AUTH =
'Username-Password-Authentication'.freeze
JWT_BEARER =
'urn:ietf:params:oauth:grant-type:jwt-bearer'.freeze
GRANT_TYPE_PASSWORDLESS_OPT =
'http://auth0.com/oauth/grant-type/passwordless/otp'.freeze

Constants included from ClientAssertion

ClientAssertion::CLIENT_ASSERTION_TYPE

Instance Method Summary collapse

Methods included from ClientAssertion

#populate_client_assertion_or_secret

Instance Method Details

#api_token(client_id: @client_id, client_secret: @client_secret, organization: @organization, audience: nil) ⇒ json

Request an API access token using a Client Credentials grant

Parameters:

  • client_id (string) (defaults to: @client_id)

    Client ID for the application

  • client_secret (string) (defaults to: @client_secret)

    Client secret for the application. Ignored if using Client Assertion

  • audience (string) (defaults to: nil)

    API audience to use

  • organization (string) (defaults to: @organization)

    Organization ID

Returns:

  • (json)

    Returns the API token

See Also:



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/auth0/api/authentication_endpoints.rb', line 25

def api_token(
  client_id: @client_id,
  client_secret: @client_secret,
  organization: @organization,
  audience: nil
)
  request_params = {
    grant_type: 'client_credentials',
    client_id: client_id,
    audience: audience,
    organization: organization
  }

  populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)

  response = request_with_retry(:post, '/oauth/token', request_params)
  ::Auth0::ApiToken.new(response['access_token'], response['scope'], response['expires_in'])
end

#authorization_url(redirect_uri, options = {}) ⇒ url

Return an authorization URL.

Parameters:

  • redirect_uri (string)

    URL to redirect after authorization

  • options (hash) (defaults to: {})

    Can contain response_type, connection, state, organization, invitation, and additional_parameters.

Returns:

  • (url)

    Authorization URL.

Raises:

See Also:



310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
# File 'lib/auth0/api/authentication_endpoints.rb', line 310

def authorization_url(redirect_uri, options = {})
  raise Auth0::InvalidParameter, 'Must supply a valid redirect_uri' if redirect_uri.to_s.empty?

  request_params = {
    client_id: @client_id,
    response_type: options.fetch(:response_type, 'code'),
    connection: options.fetch(:connection, nil),
    redirect_uri: redirect_uri,
    state: options.fetch(:state, nil),
    scope: options.fetch(:scope, nil),
    organization: options.fetch(:organization, @organization),
    invitation: options.fetch(:invitation, nil)
  }.merge(options.fetch(:additional_parameters, {}))

  URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
end

#change_password(email, password, connection_name = UP_AUTH) ⇒ Object

Deprecated.

Use #reset_password instead.

Change a user’s password or trigger a password reset email.

Parameters:

  • email (string)

    User’s current email

  • password (string)

    User’s new password. This is only available on legacy tenants with change password v1 flow enabled

  • connection_name (string) (defaults to: UP_AUTH)

    Database connection name

Raises:

See Also:



212
213
214
215
216
217
218
219
220
221
222
223
# File 'lib/auth0/api/authentication_endpoints.rb', line 212

def change_password(email, password, connection_name = UP_AUTH)
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?

  request_params = {
    email: email,
    password: password,
    connection: connection_name,
    client_id: @client_id
  }

  request_with_retry(:post, '/dbconnections/change_password', request_params)
end

#exchange_auth_code_for_tokens(code, redirect_uri: nil, client_id: @client_id, client_secret: @client_secret) ⇒ Auth0::AccessToken

Get access and ID tokens using an Authorization Code.

Parameters:

  • code (string)

    The authentication code obtained from /authorize

  • redirect_uri (string) (defaults to: nil)

    URL to redirect to after authorization.

  • client_id (string) (defaults to: @client_id)

    Client ID for the application

  • client_secret (string) (defaults to: @client_secret)

    Client secret for the application. Ignored if using Client Assertion Required only if it was set at the GET /authorize endpoint

Returns:

  • (Auth0::AccessToken)

    Returns the access_token and id_token

Raises:

See Also:



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/auth0/api/authentication_endpoints.rb', line 52

def exchange_auth_code_for_tokens(
  code,
  redirect_uri: nil,
  client_id: @client_id,
  client_secret: @client_secret
)
  raise Auth0::InvalidParameter, 'Must provide an authorization code' if code.to_s.empty?

  request_params = {
    grant_type: 'authorization_code',
    client_id: client_id,          
    code: code,
    redirect_uri: redirect_uri
  }

  populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)

  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
end

#exchange_email_otp_for_tokens(email_address, otp, audience: nil, scope: nil) ⇒ Object

Exchange an OTP recieved through email for ID and access tokens

Parameters:

  • email_address (string)

    The user’s email address used to receive the OTP

  • otp (string)

    The OTP contained in the email

  • audience (string) (defaults to: nil)

    The audience for the access token (defaults to nil)

  • scope (string) (defaults to: nil)

    The scope (defaults to ‘openid profile email’)



125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
# File 'lib/auth0/api/authentication_endpoints.rb', line 125

def exchange_email_otp_for_tokens(email_address, otp, audience: nil, scope: nil)
  request_params = {
    grant_type: GRANT_TYPE_PASSWORDLESS_OPT,
    client_id: @client_id,
    username: email_address,
    otp: otp,
    realm: 'email',
    audience: audience,
    scope: scope || 'openid profile email'
  }

  populate_client_assertion_or_secret(request_params)

  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
end

#exchange_refresh_token(refresh_token, client_id: @client_id, client_secret: @client_secret) ⇒ Auth0::AccessToken

Get access and ID tokens using a refresh token.

Parameters:

  • refresh_token (string)

    Refresh token to use. Request this with the offline_access scope when logging in.

  • client_id (string) (defaults to: @client_id)

    Client ID for the application

  • client_secret (string) (defaults to: @client_secret)

    Client secret for the application. Ignored if using Client Assertion Required when the Application’s Token Endpoint Authentication Method is Post or Basic.

Returns:

  • (Auth0::AccessToken)

    Returns tokens allowed in the refresh_token

Raises:

See Also:



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# File 'lib/auth0/api/authentication_endpoints.rb', line 81

def exchange_refresh_token(
  refresh_token,
  client_id: @client_id,
  client_secret: @client_secret
)
  raise Auth0::InvalidParameter, 'Must provide a refresh token' if refresh_token.to_s.empty?

  request_params = {
    grant_type: 'refresh_token',
    client_id: client_id,
    refresh_token: refresh_token
  }

  populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)

  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
end

#exchange_sms_otp_for_tokens(phone_number, otp, audience: nil, scope: nil) ⇒ Object

Exchange an OTP recieved through SMS for ID and access tokens

Parameters:

  • phone_number (string)

    The user’s phone number used to receive the OTP

  • otp (string)

    The OTP contained in the SMS

  • audience (string) (defaults to: nil)

    The audience for the access token (defaults to nil)

  • scope (string) (defaults to: nil)

    The scope (defaults to ‘openid profile email’)



104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/auth0/api/authentication_endpoints.rb', line 104

def exchange_sms_otp_for_tokens(phone_number, otp, audience: nil, scope: nil)
  request_params = {
    grant_type: GRANT_TYPE_PASSWORDLESS_OPT,
    client_id: @client_id,
    username: phone_number,
    otp: otp,
    realm: 'sms',
    audience: audience,
    scope: scope || 'openid profile email'
  }

  populate_client_assertion_or_secret(request_params)

  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
end

#login_with_resource_owner(login_name, password, client_id: @client_id, client_secret: @client_secret, realm: nil, audience: nil, scope: 'openid') ⇒ json

rubocop:disable Metrics/ParameterLists Get access and ID tokens using Resource Owner Password. Requires that your tenant has a Default Audience or Default Directory.

Parameters:

  • login_name (string)

    Email or username for the connection

  • password (string)

    Password

  • client_id (string) (defaults to: @client_id)

    Client ID for the application

  • client_secret (string) (defaults to: @client_secret)

    Client secret for the application. Ignored if using Client Assertion

  • realm (string) (defaults to: nil)

    Specific realm to authenticate against

  • audience (string) (defaults to: nil)

    API audience

  • scope (string) (defaults to: 'openid')

    Scope(s) requested

    • Include an audience (above) for API access scopes

    • Use the default “openid” for userinfo calls

Returns:

  • (json)

    Returns the access_token and id_token

Raises:

See Also:



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
# File 'lib/auth0/api/authentication_endpoints.rb', line 155

def (
  ,
  password,
  client_id: @client_id,
  client_secret: @client_secret,
  realm: nil,
  audience: nil,
  scope: 'openid'
)

  raise Auth0::InvalidParameter, 'Must supply a valid login_name' if .empty?
  raise Auth0::InvalidParameter, 'Must supply a valid password' if password.empty?

  request_params = {
    username: ,
    password: password,
    client_id: client_id,
    realm: realm,
    scope: scope,
    audience: audience,
    grant_type: realm ? 'http://auth0.com/oauth/grant-type/password-realm' : 'password'
  }

  populate_client_assertion_or_secret(request_params, client_id: client_id, client_secret: client_secret)

  ::Auth0::AccessToken.from_response request_with_retry(:post, '/oauth/token', request_params)
end

#logout_url(return_to, include_client: false, federated: false) ⇒ url

Returns an Auth0 logout URL with a return URL.

Parameters:

  • return_to (string)

    URL to redirect after logout.

  • include_client (bool) (defaults to: false)

    Include the client_id in the logout URL.

  • federated (boolean) (defaults to: false)

    Perform a federated logout.

Returns:

  • (url)

    Logout URI

See Also:



349
350
351
352
353
354
355
356
357
358
359
360
361
# File 'lib/auth0/api/authentication_endpoints.rb', line 349

def logout_url(return_to, include_client: false, federated: false)
  request_params = {
    returnTo: return_to,
    client_id: include_client ? @client_id : nil,
    federated: federated ? '1' : nil
  }

  URI::HTTPS.build(
    host: @domain,
    path: '/v2/logout',
    query: to_query(request_params)
  )
end

#par_authorization_url(request_uri) ⇒ Object

Return an authorization URL for PAR requests

Parameters:

  • request_uri (string)

    The request_uri as obtained by calling ‘pushed_authorization_request`

  • additional_parameters

    Any additional parameters to send

Raises:

See Also:



331
332
333
334
335
336
337
338
339
340
# File 'lib/auth0/api/authentication_endpoints.rb', line 331

def par_authorization_url(request_uri)
  raise Auth0::InvalidParameter, 'Must supply a valid request_uri' if request_uri.to_s.empty?

  request_params = {
    client_id: @client_id,
    request_uri: request_uri,
  }

  URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
end

#pushed_authorization_request(parameters = {}) ⇒ url

Make a request to the PAR endpoint and receive a ‘request_uri` to send to the ’/authorize’ endpoint.

Parameters:

  • redirect_uri (string)

    URL to redirect after authorization

  • options (hash)

    Can contain response_type, connection, state, organization, invitation, and additional_parameters.

Returns:

  • (url)

    Authorization URL.

See Also:



368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
# File 'lib/auth0/api/authentication_endpoints.rb', line 368

def pushed_authorization_request(parameters = {})
  request_params = {
    client_id: @client_id,
    response_type: parameters.fetch(:response_type, 'code'),
    connection: parameters.fetch(:connection, nil),
    redirect_uri: parameters.fetch(:redirect_uri, nil),
    state: parameters.fetch(:state, nil),
    scope: parameters.fetch(:scope, nil),
    organization: parameters.fetch(:organization, nil),
    invitation: parameters.fetch(:invitation, nil)
  }.merge(parameters.fetch(:additional_parameters, {}))

  populate_client_assertion_or_secret(request_params)
  
  request_with_retry(:post_form, '/oauth/par', request_params, {})
end

#reset_password(email, connection_name = UP_AUTH, client_id = @client_id) ⇒ Object

Trigger a password reset email.

Parameters:

  • email (string)

    User’s current email

  • connection_name (string) (defaults to: UP_AUTH)

    Database connection name

  • client_id (string) (defaults to: @client_id)

    Client ID override (to allow forwarding to a different application’s login URI on password reset success page)

Raises:

See Also:



232
233
234
235
236
237
238
239
240
241
242
# File 'lib/auth0/api/authentication_endpoints.rb', line 232

def reset_password(email, connection_name = UP_AUTH, client_id = @client_id)
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?

  request_params = {
    email: email,
    connection: connection_name,
    client_id: client_id
  }

  request_with_retry(:post, '/dbconnections/change_password', request_params)
end

#saml_metadataxml

Retrive SAML 2.0 metadata XML for an Application.

Returns:

  • (xml)

    SAML 2.0 metadata

See Also:



287
288
289
# File 'lib/auth0/api/authentication_endpoints.rb', line 287

def 
  request_with_retry(:get, "/samlp/metadata/#{@client_id}")
end

#samlp_url(connection = UP_AUTH) ⇒ url

Return a SAMLP URL. The SAML Request AssertionConsumerServiceURL will be used to POST back the assertion and it must match with the application callback URL.

Parameters:

  • connection (string) (defaults to: UP_AUTH)

    Connection to use; empty to show all

Returns:

  • (url)

    SAMLP URL

See Also:



391
392
393
394
395
396
# File 'lib/auth0/api/authentication_endpoints.rb', line 391

def samlp_url(connection = UP_AUTH)
  request_params = {
    connection: connection
  }
  URI::HTTPS.build(host: @domain, path: "/samlp/#{@client_id}", query: to_query(request_params))
end

#signup(email, password, connection_name = UP_AUTH) ⇒ json

Sign up with a database connection using a username and password.

Parameters:

  • email (string)

    New user’s email

  • password (string)

    New user’s password

  • connection_name (string) (defaults to: UP_AUTH)

    Database connection name

Returns:

  • (json)

    Returns the created user

Raises:

See Also:



190
191
192
193
194
195
196
197
198
199
200
201
202
# File 'lib/auth0/api/authentication_endpoints.rb', line 190

def (email, password, connection_name = UP_AUTH)
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?
  raise Auth0::InvalidParameter, 'Must supply a valid password' if password.to_s.empty?

  request_params = {
    email: email,
    password: password,
    connection: connection_name,
    client_id: @client_id
  }

  request_with_retry(:post, '/dbconnections/signup', request_params)
end

#start_passwordless_email_flow(email, send = 'link', auth_params = {}) ⇒ Object

Start Passwordless email login flow.

Parameters:

  • email (string)

    Email to send a link or code

  • send (string) (defaults to: 'link')

    Pass ‘link’ to send a magic link, ‘code’ to send a code

  • auth_params (hash) (defaults to: {})

    Append or override the magic link parameters

Raises:

See Also:



250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
# File 'lib/auth0/api/authentication_endpoints.rb', line 250

def start_passwordless_email_flow(email, send = 'link', auth_params = {})
  raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?

  request_params = {
    email: email,
    send: send,
    authParams: auth_params,
    connection: 'email',
    client_id: @client_id,
  }

  populate_client_assertion_or_secret(request_params)

  request_with_retry(:post, '/passwordless/start', request_params)
end

#start_passwordless_sms_flow(phone_number) ⇒ Object

Start Passwordless SMS login flow.



270
271
272
273
274
275
276
277
278
279
280
281
282
# File 'lib/auth0/api/authentication_endpoints.rb', line 270

def start_passwordless_sms_flow(phone_number)
  raise Auth0::InvalidParameter, 'Must supply a valid phone number' if phone_number.to_s.empty?

  request_params = {
    phone_number: phone_number,
    connection: 'sms',
    client_id: @client_id,
  }

  populate_client_assertion_or_secret(request_params)

  request_with_retry(:post, '/passwordless/start', request_params)
end

#userinfo(access_token) ⇒ json

Return the user information based on the Auth0 access token.

Returns:

  • (json)

    User information based on the Auth0 access token

See Also:



301
302
303
# File 'lib/auth0/api/authentication_endpoints.rb', line 301

def userinfo(access_token)
  request_with_retry(:get, '/userinfo', {}, 'Authorization' => "Bearer #{access_token}")
end

#validate_id_token(id_token, algorithm: nil, leeway: 60, nonce: nil, max_age: nil, issuer: nil, audience: nil, organization: @organization) ⇒ Object

rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/ParameterLists

Parameters:

  • leeway (integer) (defaults to: 60)

    The clock skew to accept when verifying date related claims in seconds. Must be a non-negative value. Defaults to *60 seconds*.

  • nonce (string) (defaults to: nil)

    The nonce value sent during authentication.

  • max_age (integer) (defaults to: nil)

    The max_age value sent during authentication. Must be a non-negative value.

  • issuer (string) (defaults to: nil)

    The expected issuer claim value. Defaults to https://YOUR_AUTH0_DOMAIN/.

  • audience (string) (defaults to: nil)

    The expected audience claim value. Defaults to your *Auth0 Client ID*.

  • organization (string) (defaults to: @organization)

    Organization ID Defaults to your *Auth0 Organization ID*.



436
437
438
439
440
441
442
443
444
445
446
447
448
449
# File 'lib/auth0/api/authentication_endpoints.rb', line 436

def validate_id_token(id_token, algorithm: nil, leeway: 60, nonce: nil, max_age: nil, issuer: nil, audience: nil, organization: @organization)
  context = {
    issuer: issuer || "https://#{@domain}/",
    audience: audience || @client_id,
    algorithm: algorithm || Auth0::Algorithm::RS256.jwks_url("https://#{@domain}/.well-known/jwks.json"),
    leeway: leeway
  }

  context[:nonce] = nonce unless nonce.nil?
  context[:max_age] = max_age unless max_age.nil?
  context[:organization] = organization unless !organization

  Auth0::Mixins::Validation::IdTokenValidator.new(context).validate(id_token)
end

#wsfed_metadataxml

Retrieve WS-Federation metadata XML for a tenant.

Returns:

  • (xml)

    WS-Federation metadata

See Also:



294
295
296
# File 'lib/auth0/api/authentication_endpoints.rb', line 294

def 
  request_with_retry(:get, '/wsfed/FederationMetadata/2007-06/FederationMetadata.xml')
end

#wsfed_url(connection = UP_AUTH, options = {}) ⇒ url

Return a WS-Federation URL.

Parameters:

  • connection (string) (defaults to: UP_AUTH)

    Connection to use; empty to show all

  • options (hash) (defaults to: {})

    Extra options; supports wtrealm, wctx, wreply

Returns:

  • (url)

    WS-Federation URL

See Also:



403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
# File 'lib/auth0/api/authentication_endpoints.rb', line 403

def wsfed_url(connection = UP_AUTH, options = {})
  request_params = {
    whr: connection,
    wtrealm: options[:wtrealm],
    wctx: options[:wctx],
    wreply: options[:wreply]
  }

  url_client_id = @client_id unless request_params[:wtrealm]
  URI::HTTPS.build(
    host: @domain,
    path: "/wsfed/#{url_client_id}",
    query: to_query(request_params)
  )
end