Provide Auth0 Guide

[Jcambass]

There isn't currently an Auth0 Guide for Knock since Auth0 removed its guides on knock and focused on "raw" jwt. It would be really helpful to bring a guide to this repo. I'm currently struggling myself with setting up the knock with Auth0.

[Amnesthesia]

same af

[carlows]

I'm in the same position. Have you guys found any pointers?

[Amnesthesia]

@carlows Yes! And it's a bit tricky. I had to override some Knock methods in the BaseController to be able to catch the exception thrown, usually from decoding the JWT. First of all you've got to set your audience properly when authenticating against Auth0, and ensure that your API is using the client ID and secret for the API with that defined audience, then double-check what algorithm you're expecting.

I had problems caused by sending a JWT token that was encrypted with RS256 which required a public and private key on the server side, but by instead using the accessToken (rather than idToken) from Auth0 and passing the openid scope and correct audience, helped with getting Knock to decode the token correctly.

It was a pain to debug, but ensure that you're using the correct algorithm — I'm at work right now but can give some code examples later tonight on how I solved it

[cidylle]

@Amnesthesia Any time for those code samples? Would be much appreciated. Running into the same issues trying to use Auth0 with Knock.

[Amnesthesia]

Sorry @cidylle, forgot about this.

First, I set up my config/initializers/knock.rb like this:

Knock.setup do |config|
  # I only set the Auth0 stuff for prod and dev. I use defaults for testing purposes
  unless Rails.env.test?
    
    # This comes from my .env file, but will be set to e.g "https://your-api.domain.com/" or whatever your Auth0 API *audience* is called.
    config.token_audience = -> { Rails.application.secrets.auth0_api_audience }
    
    # Ensure we use HS256 on Auth0
    config.token_signature_algorithm = "HS256"
    
    # API secret from Auth0
    config.token_secret_signature_key = -> { Rails.application.secrets.auth0_api_secret }

end

Then I've added the following in my BaseController.rb - this is useful because otherwise Knock will silently drop the errors, and we dont want that. For example, what happened for me a lot of times was that I was sending a JWT token that used the wrong algorithm (e.g RS256 with public / private key), and Knock just silently dropped that. This let me rethrow the error and see what was actually going wrong:

class Version1::BaseController < ApplicationController
  include Knock::Authenticable

 # Disabe this one when you're debugging:
  rescue_from ::JWT::DecodeError, with: :unauthorized

  module Knock::Authenticable
    def define_current_entity_getter(entity_class, getter_name)
      unless self.respond_to?(getter_name)
        memoization_var_name = "@_#{getter_name}"
        self.class.send(:define_method, getter_name) do
          unless instance_variable_defined?(memoization_var_name)
            current =
              begin
                Knock::AuthToken.new(token: token).entity_for(entity_class)
              rescue => e
                throw e
                nil
              end
            instance_variable_set(memoization_var_name, current)
          end
          instance_variable_get(memoization_var_name)
        end
      end
    end
  end
end