1 | # Auth0 Deploy
|
2 |
|
3 | A module which allows easy convention-based deployment of Auth0 components
|
4 |
|
5 | ### Supported Components
|
6 |
|
7 | Currently the module supports the following components:
|
8 |
|
9 | - Clients (with client grants) - Create/Update
|
10 | - Resource Servers (API) - Create/Update
|
11 | - Connections - Create/Update
|
12 |
|
13 | ## Installation
|
14 |
|
15 | ```javascript
|
16 | npm install -g auth0-deploy
|
17 | ```
|
18 |
|
19 | # Usage (CLI)
|
20 |
|
21 | To create components in Auth0 you must create a folder for each
|
22 | component, with the folder name corresponding to the component name.
|
23 |
|
24 | Each component is grouped under a component type folder.
|
25 |
|
26 | The following is an example structure of components:
|
27 |
|
28 | ```
|
29 | components
|
30 | ├── clients
|
31 | │ └── my-client
|
32 | │ ├── config.json
|
33 | │ └── grants.json
|
34 | ├── connections
|
35 | │ └── member-idp
|
36 | │ ├── config.json
|
37 | │ └── login.js
|
38 | └── resource-servers
|
39 | └── members
|
40 | └── config.json
|
41 |
|
42 | ```
|
43 |
|
44 | Each component type has its own folder. Within this folder are folders corresponding to the names of each component of that type.
|
45 |
|
46 | In the above example we expect the following components:
|
47 |
|
48 | - Client
|
49 | - my-client
|
50 | - Connection
|
51 | - member-idp
|
52 | - Resource Server
|
53 | - members
|
54 |
|
55 | ### Common Conventions
|
56 |
|
57 | 1. The **name** of a component is determined by its folder name
|
58 | 2. The options for the component are specified via a `config.json` in the components folder
|
59 | - The `config.json` should match the JSON body format for the component as described in the [Management API](https://auth0.com/docs/api/management/v2#!/Connections/post_connections)
|
60 | - Each component has sensible defaults for the JSON body, properties included in `config.json` override the defaults
|
61 |
|
62 | ### General CLI Usage
|
63 |
|
64 | ```bash
|
65 | auth0-deploy <component-type> [options]
|
66 | ```
|
67 |
|
68 | **component-type** : Can be any of the following: `resource`, `connection`, `client`
|
69 |
|
70 | **options**
|
71 |
|
72 | ```
|
73 | Options:
|
74 |
|
75 | -h, --help output usage information
|
76 | -V, --version output the version number
|
77 | -t, --token <token> Auth0 Management API token
|
78 | -c, --client-id <id> Auth0 Client ID
|
79 | -s, --client-secret <secret> Auth0 Client Secret
|
80 | -d, --auth0-domain <domain> Auth0 Domain
|
81 | -w, --working-dir <workingdir> working directory for auth0 components (defaults to current working directory)
|
82 | ```
|
83 |
|
84 | **Authorization**
|
85 |
|
86 | In order to allow the API calls to the management API to succeed you must:
|
87 |
|
88 | - Create a client which has grants for the appropriate scopes (see: [Auth0 Deploy Cli](https://github.com/auth0/auth0-deploy-cli#to-create-client-by-hand))
|
89 | - Specify `--client-id` and `--client-secret` via cli
|
90 | - Specify Auth0 Domain for the account via `--auth0-domain`
|
91 |
|
92 | **OR**
|
93 |
|
94 | - Create a token from the Management API page with appropriate scopes
|
95 | - Specify `token` via cli
|
96 | - Specify Auth0 Domain for the account via `--auth0-domain`
|
97 |
|
98 | ### Scopes
|
99 |
|
100 | The client/token used with the tool must have the following scopes:
|
101 |
|
102 | ```
|
103 | # For Resource Servers
|
104 | read:resource_servers
|
105 | update:resource_servers
|
106 | create:resource_servers
|
107 |
|
108 | # For connections
|
109 | read:connections
|
110 | update:connections
|
111 | create:connections
|
112 |
|
113 | # For Clients
|
114 | read:clients
|
115 | update:clients
|
116 | create:clients
|
117 |
|
118 | read:client_grants
|
119 | update:client_grants
|
120 | create:client_grants
|
121 | delete:client_grants
|
122 | ```
|
123 |
|
124 | ## Connections
|
125 |
|
126 | In addition to the common conventions, creation of connection resources allows specification of custom script code.
|
127 |
|
128 | In order for your custom scripts to be included as a part of the connection creation, you must create
|
129 | `.js` files corresponding to the custom script.
|
130 |
|
131 | The following scripts are supported:
|
132 |
|
133 | - **Login** -> login.js
|
134 | - **Create** -> create.js
|
135 | - **Verify** -> verify.js
|
136 | - **Change** Password -> change_password.js
|
137 | - **Delete** -> delete.js
|
138 | - **Get User** -> get_user.js
|
139 |
|
140 | From the above example, you can see that only the `login.js` custom script is specified.
|
141 | Any of the scripts which are specified will be added to the connection during creation.
|
142 |
|
143 | Example `config.json`
|
144 |
|
145 | ```json
|
146 | {
|
147 | "options": {
|
148 | "bareConfiguration":{
|
149 | "hostname": "https://myidpurl.com"
|
150 | }
|
151 | }
|
152 | }
|
153 | ```
|
154 |
|
155 | The above `config.json` specifies some configuration properties for the custom scripts to access
|
156 |
|
157 | ### Command
|
158 |
|
159 | Change directory to components folder (ie. your folder should contain `connections`, `clients`, etc.
|
160 |
|
161 | ```bash
|
162 | auth0-deploy connection --token <your-access-token> --auth0-domain <yourhost.auth0.com>
|
163 | ```
|
164 |
|
165 | The above example uses the token Authorization method
|
166 |
|
167 | ## Resource Servers
|
168 |
|
169 | To create a resource server you must specify a `config.json` which describes the body of the resource for the management API.
|
170 |
|
171 | Lets say we have the following directory structure:
|
172 |
|
173 | ```
|
174 | components
|
175 | ├── resource-servers
|
176 | │ └── members
|
177 | │ └── config.json
|
178 |
|
179 | ```
|
180 |
|
181 |
|
182 | An example `config.json` would look like:
|
183 |
|
184 | ```json
|
185 | {
|
186 | "identifier": "https://members.mydomain.com",
|
187 | "scopes": [
|
188 | {"value": "read:email"},
|
189 | {"value": "read:friends"}
|
190 | ],
|
191 | "signing_alg": "RS256"
|
192 | }
|
193 | ```
|
194 |
|
195 | This would create a resource named `members` with scopes: `read:email` and `read:friends`
|
196 |
|
197 | ```bash
|
198 | auth0-deploy resource --token <your-access-token> --auth0-domain <yourhost.auth0.com>
|
199 | ```
|
200 |
|
201 | ## Client
|
202 |
|
203 | Clients follow the same convention as resources except you can specify **client-grants** via
|
204 | the file `grants.json`
|
205 |
|
206 | This file must consist of an array of grants which conform to the grant body as per the [Management API](https://auth0.com/docs/api/management/v2#!/Client_Grants/post_client_grants) requirements.
|
207 | Each grant must omit the `client_id` property as this will be automatically filled based on the given client.
|
208 |
|
209 | An example `grants.json` would look like:
|
210 |
|
211 | ```json
|
212 | [
|
213 | {
|
214 | "audience": "https://some-host.auth0.com/api/v2/",
|
215 | "scope": [
|
216 | "read:users"
|
217 | ]
|
218 | }
|
219 | ]
|
220 | ```
|
221 |
|
222 | As you can see, the grant specifies the `audience` and `scope`, but not the `client_id`
|
223 |
|
224 | ```bash
|
225 | auth0-deploy client --token <your-access-token> --auth0-domain <yourhost.auth0.com>
|
226 | ```
|
227 |
|
228 | ## Environment specific overrides
|
229 |
|
230 | You may want to have differing values for certain configuration options based on the environment you
|
231 | are deploying to.
|
232 |
|
233 | For example, if we want to create a connection which contacts our own IDP server to authenticate users, you
|
234 | may want to specify different URIs for the IDP server for each environment.
|
235 |
|
236 | To do so, you can add placeholders to your `config.json` files in the form: `@@PLACEHOLDER_NAME@@`
|
237 |
|
238 | Going back to the connection example, lets look at an example `config.json`
|
239 |
|
240 | ### Environment Specific config
|
241 |
|
242 | ```json
|
243 | {
|
244 | "options": {
|
245 | "bareConfiguration":{
|
246 | "hostname": "@@IDP_URI@@"
|
247 | }
|
248 | }
|
249 | }
|
250 | ```
|
251 |
|
252 | Here we have a placeholder for the value of the `hostname` config property.
|
253 | The placeholders name is `IDP_URI`
|
254 |
|
255 | To specify values for this placeholder you can:
|
256 |
|
257 | - Export an environment variable with the name `IDP_URI` before executing the deploy command
|
258 |
|
259 | **OR**
|
260 |
|
261 | - Specify an argument `--IDP_URI <uri>` with the deploy command
|
262 |
|
263 | Example:
|
264 |
|
265 | ```bash
|
266 | auth0-deploy connection --token <your-access-token> --auth0-domain <yourhost.auth0.com> --IDP_URI https://myidp.organization.com
|
267 | ```
|
268 |
|
269 | The above command will replace all instances of the placeholder `IDP_URI` with the given url (which may be specific to the environment)
|
270 |
|
271 | # Usage (as a node module)
|
272 |
|
273 | ...
|