DEV Community: Amin Abbaspour The latest articles on DEV Community by Amin Abbaspour (@amin). https://dev.to/amin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F359953%2F518b8cd6-d618-413d-afc2-c88d9d59f18e.jpg DEV Community: Amin Abbaspour https://dev.to/amin en Atlassian SAML SSO with Auth0 IdP Amin Abbaspour Tue, 14 Apr 2020 07:58:03 +0000 https://dev.to/amin/atlassian-saml-sso-with-auth0-idp-2jg6 https://dev.to/amin/atlassian-saml-sso-with-auth0-idp-2jg6 <h1> Atlassian SAML SSO with Auth0 IdP </h1> <p>In this article we'll look at how to configure <a href="https://www.auth0.com">Auth0</a> as SAML 2.0 SSO IdP for Atlassian.</p> <h2> Prerequisite </h2> <p>Inside your <a href="https://admin.atlassian.com">Atlassian Organisation</a> you should have:</p> <ol> <li>A verified domain</li> <li><a href="https://www.atlassian.com/software/access">Atlassian Access</a></li> </ol> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--VYAqpGsC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/00-atlassian-prerequisite-access.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--VYAqpGsC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/00-atlassian-prerequisite-access.png" alt="Atlassian Access Cloud Installed"></a></p> <h2> Setup </h2> <h3> Step 1. Auth0 IdP Client </h3> <p>Create a "Regular Web Application" in Auth0</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--sesV2txk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/01-create-rwa-app.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--sesV2txk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/01-create-rwa-app.png" alt="01-create-rwa-app"></a></p> <h3> Step 2. Add Connections to your App </h3> <p>Make sure that correct set of Auth0 connections are associated to your IdP app.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--uHmN_7rk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/02-app-connections.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--uHmN_7rk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/02-app-connections.png" alt="02-app-connections"></a></p> <h3> Step 3. Enable SAML2 Addon </h3> <p>Go to application's Addons tab and enable <em>SAML2 Web App</em>.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--cwk_KuWe--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/03-saml2-addon.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--cwk_KuWe--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/03-saml2-addon.png" alt="03-saml2-addon"></a></p> <h3> Step 4. IdP Metadata </h3> <p>Go to <em>Usage</em> section in addon configuration. Here you find information to populate SAML metadata in Atlassian Access.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--3hEzsgF7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/04-addon-usage.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--3hEzsgF7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/04-addon-usage.png" alt="04-addon-usage"></a></p> <h3> Step 5. Add SAML Connection in Atlassian </h3> <p>In <a href="https://admin.atlassian.com">Atlassian Admin</a> dashboard, go to <code>Organization &gt; Security &gt; SAML single sign-on</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9XcQnLAg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/05-add-saml.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9XcQnLAg--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/05-add-saml.png" alt="05-add-saml"></a></p> <h3> Step 6. Populate Configuration </h3> <p>Copy configs from addon usage page (step 4) to SAML configuration.</p> <ul> <li> <code>Identity provider Entity ID</code> =&gt; <code>urn:TENANT.auth0.com</code> </li> <li> <code>Identity provider SSO URL</code> =&gt; <code>https://TENANT.auth0.com/samlp/APP_ID</code> </li> <li> <code>Public x509 certificate</code> =&gt; Content from tenant's <code>/pem</code> <a href="https://TENANT.auth0.com/pem">https://TENANT.auth0.com/pem</a> </li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--x84fMlj3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/06-config-saml.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--x84fMlj3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/06-config-saml.png" alt="06-config-saml"></a></p> <h3> Step 7. Get SP Assertion Consumer Service URL </h3> <p>Once configuration saves, you'll see a summary page, copy <code>SP Assertion Consumer Service URL</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--OEqyVst5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/07-idp-url.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--OEqyVst5--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/07-idp-url.png" alt="07-ACS"></a></p> <h3> Step 8. Configure Application Callback URL in Auth0 SAML2 Addon </h3> <p>Go back to <a href="https://manage.auth0.com">Auth0 dashboard</a> for your application's SAML2 addon setup tab and<br> paste:</p> <ul> <li> <code>SP Assertion Consumer Service URL</code> =&gt; <code>Application Callback URL</code> </li> </ul> <p>And populate metadata mapping file into <code>Settings</code> section and <em>Save</em></p> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mappings"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"user_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"</span><span class="p">,</span><span class="w"> </span><span class="nl">"given_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"</span><span class="p">,</span><span class="w"> </span><span class="nl">"family_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"nameIdentifierProbes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"</span><span class="p">,</span><span class="w"> </span><span class="s2">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"</span><span class="p">,</span><span class="w"> </span><span class="s2">"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"nameIdentifierFormat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"urn:oasis:names:tc:SAML:2.0:nameid-format:email"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--16wYY6sv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/08-settings.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--16wYY6sv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/08-settings.png" alt="08-addon-settings"></a></p> <h3> Step 9. Try Sign in with Verified Domain Email </h3> <p>Visit <a href="https://id.atlassian.com/">id.atlassian.com</a> and login with a <code>user@your-verified-domain.com</code></p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--5jkpInm7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/09-try-with-email.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--5jkpInm7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/09-try-with-email.png" alt="09-try-with-email"></a></p> <h3> Step 10. Login with SAML IdP and return to Atlassian </h3> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--9PdPJbIq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/10-success.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--9PdPJbIq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/abbaspour/dev.to/master/blog-posts/2020-04-14-atlassian/assets/10-success.png" alt="10-success"></a></p> auth0 atlassian saml idp Playing with Spotify API and Auth0 Amin Abbaspour Tue, 14 Apr 2020 07:58:02 +0000 https://dev.to/amin/playing-with-spotify-api-and-auth0-5hhf https://dev.to/amin/playing-with-spotify-api-and-auth0-5hhf <h2> Registration </h2> <p>Head to <a href="https://developer.spotify.com/dashboard" rel="noopener noreferrer">https://developer.spotify.com/dashboard</a> and create an app. Set callback URL to <a href="https://jwt.io" rel="noopener noreferrer">https://jwt.io</a></p> <p>Reference <a href="https://developer.spotify.com/documentation/general/guides/authorization-guide/" rel="noopener noreferrer">https://developer.spotify.com/documentation/general/guides/authorization-guide/</a></p> <h2> OAuth 2.0 Flow </h2> <h3> Implicit flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/abbaspour/auth0-bash.git <span class="nb">cd </span>auth0-bash/login ./authorize.sh <span class="nt">-d</span> https://accounts.spotify.com <span class="se">\</span> <span class="nt">-c</span> 6e57bb4631fe47f6be27af4ff2bf7489 <span class="se">\</span> <span class="nt">-R</span> token <span class="se">\</span> <span class="nt">-s</span> user-read-email <span class="se">\</span> <span class="nt">-b</span> firefox <span class="se">\</span> <span class="nt">-o</span> </code></pre> </div> <h3> Userinfo Endpoint </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>expert <span class="nv">access_token</span><span class="o">=</span><span class="s1">'XXX'</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="k">${</span><span class="nv">access_token</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> https://api.spotify.com/v1/me <span class="o">{</span> <span class="s2">"display_name"</span> : <span class="s2">"xxxx"</span>, <span class="s2">"email"</span> : <span class="s2">"xxx@xxx.com"</span>, <span class="s2">"external_urls"</span> : <span class="o">{</span> <span class="s2">"spotify"</span> : <span class="s2">"https://open.spotify.com/user/xxx"</span> <span class="o">}</span>, <span class="s2">"followers"</span> : <span class="o">{</span> <span class="s2">"href"</span> : null, <span class="s2">"total"</span> : 0 <span class="o">}</span>, <span class="s2">"href"</span> : <span class="s2">"https://api.spotify.com/v1/users/xxx"</span>, <span class="s2">"id"</span> : <span class="s2">"xxx"</span>, <span class="s2">"images"</span> : <span class="o">[</span> <span class="o">]</span>, <span class="s2">"type"</span> : <span class="s2">"user"</span>, <span class="s2">"uri"</span> : <span class="s2">"spotify:user:xxxx"</span> <span class="o">}</span> </code></pre> </div> <h3> Authorization Code Flow </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./authorize.sh <span class="nt">-d</span> https://accounts.spotify.com <span class="se">\</span> <span class="nt">-c</span> 6e57bb4631fe47f6be27af4ff2bf7489 <span class="se">\</span> <span class="nt">-R</span> code <span class="se">\</span> <span class="nt">-s</span> user-read-email <span class="se">\</span> <span class="nt">-b</span> firefox <span class="nt">-o</span> </code></pre> </div> <h3> Exchange Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">code</span><span class="o">=</span><span class="s1">'XXX'</span> <span class="nb">export </span><span class="nv">basic</span><span class="o">=</span><span class="si">$(</span><span class="nb">printf</span> <span class="s2">"6e57bb4631fe47f6be27af4ff2bf7489:XXXX"</span> | openssl <span class="nb">base64</span> <span class="nt">-e</span> <span class="nt">-A</span><span class="si">)</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Basic </span><span class="k">${</span><span class="nv">basic</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="nv">grant_type</span><span class="o">=</span>authorization_code <span class="se">\</span> <span class="nt">-d</span> <span class="nv">code</span><span class="o">=</span><span class="k">${</span><span class="nv">code</span><span class="k">}</span> <span class="se">\</span> <span class="nt">-d</span> <span class="nv">redirect_uri</span><span class="o">=</span>https%3A%2F%2Fjwt.io <span class="se">\</span> https://accounts.spotify.com/api/token | jq <span class="nb">.</span> </code></pre> </div> <h3> Refresh </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">export </span><span class="nv">refresh_token</span><span class="o">=</span><span class="s1">'xxx'</span> curl <span class="nt">-sS</span> <span class="nt">-H</span> <span class="s2">"Authorization: Basic </span><span class="k">${</span><span class="nv">basic</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="nv">grant_type</span><span class="o">=</span>refresh_token <span class="se">\</span> <span class="nt">-d</span> <span class="nv">refresh_token</span><span class="o">=</span><span class="k">${</span><span class="nv">refresh_token</span><span class="k">}</span> <span class="se">\</span> https://accounts.spotify.com/api/token | jq <span class="nb">.</span> </code></pre> </div> <h2> Auth0 Integration </h2> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fr13aiazzbvujw7htifxo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fr13aiazzbvujw7htifxo.png" alt="Auth0 + Spotify"></a></p> <p>Let's add Spotify as a custom social connection. Auth0 does the Authorization Code flow part. We need to supply endpoints and a <code>fetchUserProfile.js</code> script that does fetch user profile with an access token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// code/fetchUserProfile.js</span> <span class="kd">function</span> <span class="nf">fetchUserProfile</span><span class="p">(</span><span class="nx">accessToken</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">,</span> <span class="nx">cb</span><span class="p">)</span> <span class="p">{</span> <span class="nx">request</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="dl">'</span><span class="s1">https://api.spotify.com/v1/me</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Bearer </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">accessToken</span><span class="p">,</span> <span class="dl">'</span><span class="s1">User-Agent</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Auth0</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">timeout</span><span class="p">:</span> <span class="mi">10000</span><span class="p">,</span> <span class="p">},</span> <span class="p">(</span><span class="nx">e</span><span class="p">,</span> <span class="nx">r</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="k">return</span> <span class="nf">cb</span><span class="p">(</span><span class="nx">e</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">!==</span> <span class="mi">200</span><span class="p">)</span> <span class="k">return</span> <span class="nf">cb</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">invalid status:</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">r</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">));</span> <span class="kd">let</span> <span class="nx">info</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">info</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">b</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">cb</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">invalid profile:</span><span class="dl">'</span><span class="p">));</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">profile</span> <span class="o">=</span> <span class="p">{</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">info</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">info</span><span class="p">.</span><span class="nx">display_name</span><span class="p">,</span> <span class="na">nickname</span><span class="p">:</span> <span class="nx">info</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">app_metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">spotify_link</span><span class="p">:</span> <span class="nx">info</span><span class="p">.</span><span class="nx">href</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="k">if </span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">email</span> <span class="o">=</span> <span class="nx">info</span><span class="p">.</span><span class="nx">email</span><span class="p">;</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">email_verified</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">_</span><span class="p">.</span><span class="nf">isEmpty</span><span class="p">(</span><span class="nx">info</span><span class="p">.</span><span class="nx">images</span><span class="p">))</span> <span class="nx">profile</span><span class="p">.</span><span class="nx">picture</span> <span class="o">=</span> <span class="nx">_</span><span class="p">.</span><span class="nf">head</span><span class="p">(</span><span class="nx">profile</span><span class="p">.</span><span class="nx">images</span><span class="p">);</span> <span class="c1">//console.log('profile from spotify: ' + JSON.stringify(profile));</span> <span class="nf">cb</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">profile</span><span class="p">);</span> <span class="p">},</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>We can now take that script and import it to Auth0 as a custom OAuth 2.0 connection using <code>create-spotify-connection.sh</code>:</p> <p><strong>NOTE</strong></p> <p>Make sure <a href="https://tenant.auth0.com/login/callback" rel="noopener noreferrer">https://tenant.auth0.com/login/callback</a> is registered as valid callback URL in your Spotify client.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># code/create-spotify-connection.sh</span> <span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-eo</span> pipefail <span class="nb">declare</span> <span class="nt">-r</span> <span class="nv">DIR</span><span class="o">=</span><span class="si">$(</span><span class="nb">dirname</span> <span class="s2">"</span><span class="k">${</span><span class="nv">BASH_SOURCE</span><span class="p">[0]</span><span class="k">}</span><span class="s2">"</span><span class="si">)</span> <span class="nb">command</span> <span class="nt">-v</span> curl <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"error: curl not found"</span><span class="p">;</span> <span class="nb">exit </span>3<span class="p">;</span> <span class="o">}</span> <span class="nb">command</span> <span class="nt">-v</span> <span class="nb">base64</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"error: base64 not found"</span><span class="p">;</span> <span class="nb">exit </span>3<span class="p">;</span> <span class="o">}</span> <span class="nb">command</span> <span class="nt">-v</span> <span class="nb">sed</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"error: sed not found"</span><span class="p">;</span> <span class="nb">exit </span>3<span class="p">;</span> <span class="o">}</span> <span class="nb">command</span> <span class="nt">-v</span> jq <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"error: jq not found"</span><span class="p">;</span> <span class="nb">exit </span>3<span class="p">;</span> <span class="o">}</span> <span class="k">function </span>usage<span class="o">()</span> <span class="o">{</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">END</span><span class="sh"> &gt;&amp;2 USAGE: </span><span class="nv">$0</span><span class="sh"> [-a access_token] [-c spotify_client_id] [-x spotify_client_secret] [-e auth0-client] [-s fetch] [-v|-h] -a token # management API access_token. default from environment variable access_token -c id # spotify client_id -x secret # spotify client_secret -s file # fetchUserProfile.js JS file. default is 'fetchUserProfile.js' -D # dry-run, interpolate only -h|? # usage -v # verbose eg, </span><span class="nv">$0</span><span class="sh"> -c 6e57bb4631fe47f6be27af4ff2bf7489 -x XXXXX -e 1C39ZFp1MrRkRtTY7vlxFjvJLCheoMZm </span><span class="no">END </span> <span class="nb">exit</span> <span class="nv">$1</span> <span class="o">}</span> <span class="nb">declare </span><span class="nv">client_id</span><span class="o">=</span><span class="s1">''</span> <span class="nb">declare </span><span class="nv">client_secret</span><span class="o">=</span><span class="s1">''</span> <span class="nb">declare </span><span class="nv">enabled_client</span><span class="o">=</span><span class="s1">''</span> <span class="nb">declare </span><span class="nv">fetch_file</span><span class="o">=</span><span class="s2">"</span><span class="k">${</span><span class="nv">DIR</span><span class="k">}</span><span class="s2">/fetchUserProfile.js"</span> <span class="nb">declare </span><span class="nv">dry_run</span><span class="o">=</span>0 <span class="k">while </span><span class="nb">getopts</span> <span class="s2">"a:d:c:x:e:s:Dhv?"</span> opt <span class="k">do case</span> <span class="k">${</span><span class="nv">opt</span><span class="k">}</span> <span class="k">in </span>a<span class="p">)</span> <span class="nv">access_token</span><span class="o">=</span><span class="k">${</span><span class="nv">OPTARG</span><span class="k">}</span><span class="p">;;</span> c<span class="p">)</span> <span class="nv">client_id</span><span class="o">=</span><span class="k">${</span><span class="nv">OPTARG</span><span class="k">}</span><span class="p">;;</span> x<span class="p">)</span> <span class="nv">client_secret</span><span class="o">=</span><span class="k">${</span><span class="nv">OPTARG</span><span class="k">}</span><span class="p">;;</span> e<span class="p">)</span> <span class="nv">enabled_client</span><span class="o">=</span><span class="k">${</span><span class="nv">OPTARG</span><span class="k">}</span><span class="p">;;</span> s<span class="p">)</span> <span class="nv">fetch_file</span><span class="o">=</span><span class="k">${</span><span class="nv">OPTARG</span><span class="k">}</span><span class="p">;;</span> v<span class="p">)</span> <span class="nv">opt_verbose</span><span class="o">=</span>1<span class="p">;;</span> <span class="c">#set -x;;</span> D<span class="p">)</span> <span class="nv">dry_run</span><span class="o">=</span>1<span class="p">;;</span> h|?<span class="p">)</span> usage 0<span class="p">;;</span> <span class="k">*</span><span class="p">)</span> usage 1<span class="p">;;</span> <span class="k">esac</span> <span class="k">done</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">fetch_file</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"ERROR: fetch_file undefined."</span><span class="p">;</span> usage 1<span class="p">;</span> <span class="o">}</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">client_id</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"ERROR: client_id undefined."</span><span class="p">;</span> usage 1<span class="p">;</span> <span class="o">}</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">client_secret</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"ERROR: client_secret undefined."</span><span class="p">;</span> usage 1<span class="p">;</span> <span class="o">}</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">enabled_client</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"ERROR: enabled_client undefined."</span><span class="p">;</span> usage 1<span class="p">;</span> <span class="o">}</span> <span class="o">[[</span> <span class="nt">-f</span> <span class="s2">"</span><span class="k">${</span><span class="nv">fetch_file</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"ERROR: fetch_file missing: </span><span class="k">${</span><span class="nv">fetch_file</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> usage 1<span class="p">;</span> <span class="o">}</span> <span class="nb">declare</span> <span class="nt">-r</span> <span class="nv">script_single_line</span><span class="o">=</span><span class="si">$(</span><span class="nb">sed</span> <span class="s1">'s|\\|\\\\|g;s/$/\\n/g'</span> <span class="s2">"</span><span class="k">${</span><span class="nv">fetch_file</span><span class="k">}</span><span class="s2">"</span> | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s1">'\n'</span> <span class="si">)</span> <span class="nb">declare </span><span class="nv">BODY</span><span class="o">=</span><span class="si">$(</span><span class="nb">cat</span> <span class="o">&lt;&lt;</span> <span class="no">EOL</span><span class="sh"> { "name": "spotify", "strategy": "oauth2", "is_domain_connection": true, "options": { "client_id": "</span><span class="k">${</span><span class="nv">client_id</span><span class="k">}</span><span class="sh">", "client_secret": "</span><span class="k">${</span><span class="nv">client_secret</span><span class="k">}</span><span class="sh">", "scripts": { "fetchUserProfile": "</span><span class="k">${</span><span class="nv">script_single_line</span><span class="k">}</span><span class="sh">" }, "authorizationURL": "https://accounts.spotify.com/authorize", "tokenURL": "https://accounts.spotify.com/api/token", "scope": "user-read-email", "customHeaders": { } }, "enabled_clients": [ "</span><span class="k">${</span><span class="nv">enabled_client</span><span class="k">}</span><span class="sh">" ] } </span><span class="no">EOL </span><span class="si">)</span> <span class="o">[[</span> <span class="k">${</span><span class="nv">dry_run</span><span class="k">}</span> <span class="nt">-eq</span> 1 <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">BODY</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="nb">exit </span>0<span class="p">;</span> <span class="o">}</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">access_token</span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="o">{</span> <span class="nb">echo</span> <span class="o">&gt;</span>&amp;2 <span class="s2">"ERROR: access_token undefined. export access_token='PASTE' "</span><span class="p">;</span> usage 1<span class="p">;</span> <span class="o">}</span> <span class="nb">declare</span> <span class="nt">-r</span> <span class="nv">AUTH0_DOMAIN_URL</span><span class="o">=</span><span class="si">$(</span><span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">access_token</span><span class="k">}</span><span class="s2">"</span> | <span class="nb">awk</span> <span class="nt">-F</span><span class="nb">.</span> <span class="s1">'{print $2}'</span> | <span class="nb">base64</span> <span class="nt">-di</span> 2&gt;/dev/null | jq <span class="nt">-r</span> <span class="s1">'.iss'</span><span class="si">)</span> curl <span class="nt">--request</span> POST <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="k">${</span><span class="nv">access_token</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">--url</span> <span class="s2">"</span><span class="k">${</span><span class="nv">AUTH0_DOMAIN_URL</span><span class="k">}</span><span class="s2">api/v2/connections"</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"</span><span class="k">${</span><span class="nv">BODY</span><span class="k">}</span><span class="s2">"</span> </code></pre> </div> <p>You also have the option to install <a href="https://auth0.com/docs/extensions/custom-social-extensions" rel="noopener noreferrer">Custom Social Connections Extension</a><br> to easily edit or view the Spotify connection. Here is how it looks for me:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fabbaspour%2Fdev.to%2Fmaster%2Fblog-posts%2F2020-04-09-spotify%2Fassets%2Fcustom-social-connections-ext-spotify.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fabbaspour%2Fdev.to%2Fmaster%2Fblog-posts%2F2020-04-09-spotify%2Fassets%2Fcustom-social-connections-ext-spotify.png" alt="custom-social-connections-ext-spotify.png"></a></p> <p>The resulting user profile has upstream IdP <code>refresh_token</code> which we'll benefit in the next section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> <span class="nt">--get</span> <span class="nt">-H</span> <span class="se">\</span> <span class="s2">"Authorization: Bearer </span><span class="k">${</span><span class="nv">access_token</span><span class="k">}</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'content-type: application/json'</span> <span class="se">\</span> <span class="s1">'https://TENANT.auth0.com/api/v2/users/oauth2|spotify|xxx'</span> | jq <span class="nb">.</span> <span class="o">{</span> <span class="s2">"app_metadata"</span>: <span class="o">{</span> <span class="s2">"spotify_link"</span>: <span class="s2">"https://api.spotify.com/v1/users/xxx"</span> <span class="o">}</span>, <span class="s2">"created_at"</span>: <span class="s2">"2020-04-21T23:19:10.023Z"</span>, <span class="s2">"email"</span>: <span class="s2">"xxx@xxx.com"</span>, <span class="s2">"email_verified"</span>: <span class="nb">false</span>, <span class="s2">"identities"</span>: <span class="o">[</span> <span class="o">{</span> <span class="s2">"provider"</span>: <span class="s2">"oauth2"</span>, <span class="s2">"access_token"</span>: <span class="s2">"BQBdE6xxx_xugA"</span>, <span class="s2">"refresh_token"</span>: <span class="s2">"AQC2-xxxxp8lBTw"</span>, <span class="s2">"user_id"</span>: <span class="s2">"spotify|xxx"</span>, <span class="s2">"connection"</span>: <span class="s2">"spotify"</span>, <span class="s2">"isSocial"</span>: <span class="nb">true</span> <span class="o">}</span> <span class="o">]</span>, <span class="s2">"name"</span>: <span class="s2">"xxx"</span>, <span class="s2">"nickname"</span>: <span class="s2">"xxx"</span>, <span class="s2">"picture"</span>: <span class="s2">"https://s.gravatar.com/avatar/c4538cc494b1706697e3a2254fbafc91?s=480&amp;r=pg&amp;d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fam.png"</span>, <span class="s2">"updated_at"</span>: <span class="s2">"2020-04-21T23:19:10.023Z"</span>, <span class="s2">"user_id"</span>: <span class="s2">"oauth2|spotify|xxx"</span>, <span class="s2">"last_ip"</span>: <span class="s2">"101.114.146.180"</span>, <span class="s2">"last_login"</span>: <span class="s2">"2020-04-21T23:19:10.023Z"</span>, <span class="s2">"logins_count"</span>: 1 <span class="o">}</span> </code></pre> </div> <h3> Returning Spotify Access Token to Auth0 Client </h3> <p>Here we want to add Spotify <code>access_token</code> as a custom claim to Auth0 <code>id_token</code>. Note that Spotify access tokens expire in 1-hour.<br> Hence we need silent authentication in Auth0 client to renew id_token and get a new Spotify access token every hour or so. That happens inside Auth0 rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// code/spotify-access_token-rule.js</span> <span class="kd">function</span> <span class="nf">renewSpotifyAccessToken</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">callback</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">spotify_identity</span> <span class="o">=</span> <span class="nx">_</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">identities</span><span class="p">,</span> <span class="p">{</span> <span class="na">connection</span><span class="p">:</span> <span class="dl">'</span><span class="s1">spotify</span><span class="dl">'</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">_</span><span class="p">.</span><span class="nf">isUndefined</span><span class="p">(</span><span class="nx">spotify_identity</span><span class="p">))</span> <span class="p">{</span> <span class="c1">//console.log('not spotify_identity');</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">context</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">namespace</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://my.ns/</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">refresh_token</span> <span class="o">=</span> <span class="nx">spotify_identity</span><span class="p">.</span><span class="nx">refresh_token</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">client_id</span> <span class="o">=</span> <span class="nx">configuration</span><span class="p">.</span><span class="nx">spotify_client_id</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">client_secret</span> <span class="o">=</span> <span class="nx">configuration</span><span class="p">.</span><span class="nx">spotify_client_secret</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">basic_auth</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Buffer</span><span class="p">(</span><span class="nx">client_id</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">:</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">client_secret</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="nx">request</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="dl">'</span><span class="s1">https://accounts.spotify.com/api/token</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorization</span><span class="p">:</span> <span class="dl">'</span><span class="s1">basic </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">basic_auth</span> <span class="p">},</span> <span class="na">form</span><span class="p">:</span> <span class="p">{</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">,</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">refresh_token</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">r</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">statusCode</span> <span class="o">!==</span> <span class="mi">200</span><span class="p">)</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">invalid status code: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">r</span><span class="p">.</span><span class="nx">statusCode</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">info</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">b</span><span class="p">);</span> <span class="c1">//console.log(JSON.stringify(info, null, ' '));</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">adding claim for spotify user: </span><span class="dl">'</span> <span class="o">+</span> <span class="nx">spotify_identity</span><span class="p">.</span><span class="nx">user_id</span><span class="p">);</span> <span class="nx">context</span><span class="p">.</span><span class="nx">idToken</span><span class="p">[</span><span class="nx">namespace</span> <span class="o">+</span> <span class="dl">'</span><span class="s1">spotify/access_token</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">info</span><span class="p">.</span><span class="nx">access_token</span><span class="p">;</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="kc">null</span><span class="p">,</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">context</span><span class="p">);</span> <span class="p">},</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> A Point on Account Linking </h3> <p>As I <a href="https://twitter.com/aminize/status/1202442611857879040" rel="noopener noreferrer">mentioned here</a>, no.7 of most repeated identity mistakes<br> is silently linking users with unverified email address. That does apply to Spotify as well,<br> since Spotify does not immediately verify email address. Bottom line is linking by just matching email, that can easily<br> result in account takeover.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fabbaspour%2Fdev.to%2Fmaster%2Fblog-posts%2F2020-04-09-spotify%2Fassets%2Fspotify-user-object.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fraw.githubusercontent.com%2Fabbaspour%2Fdev.to%2Fmaster%2Fblog-posts%2F2020-04-09-spotify%2Fassets%2Fspotify-user-object.png" alt="spotify-user-object"></a></p> <p>According to Spotify <a href="https://developer.spotify.com/documentation/web-api/reference/users-profile/get-current-users-profile/" rel="noopener noreferrer">get-current-users-profile docs</a> apparently<br> there is currently no way to figure out if Spotify reported email is verified or not. Until such a flag is available,<br> avoid any silent account-linking and instead offer managed account-linking.</p> spotify auth0 api oauth20