Building Secure APIs with Rails 6 and Auth0

robertino.calcaterra · June 15, 2020, 12:31pm

Learn how to easily integrate Auth0 with Rails 6 to build secure APIs.

Brought for you by John Brennan

konrad.sopala · June 15, 2020, 12:46pm

Let’s join the discussion and let us know your thoughts Ruby developers!

itinsley · October 12, 2020, 11:17am

EDIT - FIXED

You need to add audience to your auth_config.json then specify the audience in createAuth0Client. Your audience is the “Api Identifier”, handily labelled as “API Audience” on the dashboard list of API’s

  auth0 = await createAuth0Client({
    domain: config.domain,
    client_id: config.clientId,
    audience: config.audience
  });

Then use the same options (or at the very least specify the audience again, when calling getTokenSilently)

const accessToken = await auth0.getTokenSilently(auth0.options);

This will return an accessToken that is a JWT

ORIGINAL POST BELOW

For my client integration I am using the auth0-spa-js tutorial. I call getTokenSilently() but the access token returned is only 32 characters long and clearly a different format. Am I missing a step to transform the client issued token into a JWT?
This gettokensilently-returns-a-32-character-string-not-jwt explains that you have to set the audience. I have tried setting the audience, restarting my SPA and double-checking that the options are being sent on login but I only ever receive a 32 char string, not a JWT.

The code to get the AccessToken is thus:

  const accessToken = await auth0.getTokenSilently();
  console.log("Access Token")
  console.log(accessToken)

Note, I have not specifically configured any audience or scopes with Auth0 - it is pretty much vanilla setup.

Your response appreciated.

dan-auth0 · October 17, 2020, 10:01am

Howdy, @itinsley! Welcome to the Auth0 Community and thank you for reading the blog post. I am glad that you got the issue sorted out.

That’s right, the audience parameters, which as you point out is the API Identifier in the Auth0 Dashboard, helps you get the access token needed to make API calls.

This guide section is using the React SDK, but under the hood, that SDK uses the Auth0 SPA SDK: The Complete Guide to React User Authentication with Auth0

It highlights the initialization needed to get an access token.

Do you think that it would have been helpful to have included a demo client with this Rails blog post showing how to make protected API requests from a client to the Rails API?

itinsley · October 30, 2020, 8:44am

Hi, thanks for getting back to me. Yeah, I imagine that what I was trying to do is pretty common. I was setting up a Rails API and a React Front-End with Auth0 for security but I had to work from two different tutorials and this audience setting was pretty critical and took a while to find as I don’t think it is mentioned in the auth0-spa-js tutorial

yonyossef · January 2, 2021, 11:08am

Hello,
I’m following this guide for building my first Rails 6 + Auth0 API,
Buy I’ve encountered an issue I can’t find a solution to, please help me understand where to look for an answer:

I’m trying to make a first authenticated ‘create’ action by running:

curl -H “Content-Type: application/json” -H “Authorization: bearer $API_TOKEN” -d ‘{“body”:“this is my first chirp!”, “published”:true}’ -X POST http://localhost:3000/chirps

My server responds with the following error:

Errno::ECONNREFUSED (Failed to open TCP connection to :80 (Connection refused - connect(2) for nil port 80)):

app/lib/json_web_token.rb:19:in jwks_hash'** **app/lib/json_web_token.rb:14:in block in verify’
app/lib/json_web_token.rb:7:in verify'** **app/services/authorization_service.rb:20:in verify_token’
app/services/authorization_service.rb:8:in authenticate_request!'** **app/controllers/secured_controller.rb:7:in authorize_request’
127.0.0.1 - - [02/Jan/2021:12:54:19 IST] “POST /chirps HTTP/1.1” 500 19247
- → /chirps

My environment is Ubuntu 20.04.1 LTS under WSL2:
PS C:\Users\YOLA> wsl -l -v
NAME STATE VERSION
Ubuntu Running 2

Rails Server:
=> Booting WEBrick
=> Rails 6.0.3.4 application starting in development http://localhost:3000

Thanks!
Yony

dan-auth0 · January 4, 2021, 9:21pm

Howdy, Yonyossef! Thanks for reading this blog post Could you please try using https in the request URL instead of http?

yonyossef · January 5, 2021, 2:28am

curl -H “Content-Type: application/json” -H “Authorization: bearer $API_TOKEN” -d ‘{“body”:“this is my first chirp!”, “published”:true}’ -X POST https://localhost:3000/chirps

Results in:

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

James.Morrison · January 31, 2021, 6:28pm

This topic was automatically closed 26 days after the last reply. New replies are no longer allowed.

Intimaria · May 28, 2022, 1:45am

Hi!

Thanks for the great docs. I’m building a secured API with Auth0 on Rails 6 and have followed the Rails 6 tutorial. Am testing with test tokens for my application. I am just using authorisation not authentication.

When testing secured endpoints, I was getting unauthorised access repeatedly so I debugged my code as far as I could & traced the problem to the verify method.
Specifically the error is

{
	"message": "Signature verification raised"
}

If I set the third parameter in JWT.decode to false, everything works out.
But this is not OK, I want to verify the JWT.

So what could be going wrong? I have checked that the domain and audience are exactly in my code as they are in the auth0 issues JWTs, down the the trailing slash in the domain. I found some people having similar issues online but not a satisfying answer!

If I follow the jwts link (https://dev-lmzlz5ay.us.auth0.com/.well-known/jwks.json) I get a public key, and it does seem to process it (I verified this with a logger), but something fails in the verification step.

If I try the JsonWebToken.verify() method out on the console with a test token from auth0, it verifies & returns the token just fine.

But it doesn’t do so with http requests using postman or curl.

Sorry, am a bit new with all of this!
Happy to post any necessary snippets or logs.

All the best,
Inti

konrad.sopala · May 30, 2022, 6:30am

@robertino.calcaterra would you be able to follow up on that? Thanks!

robertino.calcaterra · May 30, 2022, 12:43pm

Hi folks! We are working on that @konrad.sopala

konrad.sopala · May 30, 2022, 1:02pm

Perfect! Thank you a lot!

robertino.calcaterra · May 31, 2022, 12:21pm

Howdy @intimaria. I suggest to take a look at this post: https://auth0.com/blog/secure-rails-api/, I think it’s very useful for you!

andrea.chiarelli · May 31, 2022, 1:14pm

As far as I understand, your code works correctly when you run it on your console but not when it runs in your API

If I try the JsonWebToken.verify() method out on the console with a test token from auth0, it verifies & returns the token just fine.

It makes me think that something between your client (curl or Postman) and your JsonWebToken.verify() method modifies the token. Have you tried to debug your code and catch the token right before calling the JsonWebToken.verify() method?

Intimaria · May 31, 2022, 4:51pm

Thanks for your help! I used a Rails.logger to see what was going on and effectively there did seem to be some discrepancy between what was sent and received due to formatting.
I was able to solve it effectively, so thank you for your help.