How do i secure a webtask

nikhil.kartha · April 13, 2017, 3:49am

How do i secure a webtask, to only allow processing events coming in from a specific auth0/webhook

From the Webtask

Doing this

wt create refresh-token.js  -s AUTH0_CLIENT_ID=XXXXX     -s AUTH0_CLIENT_SECRET=XXXXX  -s AUTH0_DOMAIN=XXXXX

Makes the command line variables available as context.secrets.AUTH0_CLIENT_ID and context.secrets.AUTH0_SECRET (also shows up under “webtask editor/secrets” tab)

Is this supposed to secure the webtask, i can still acess the url (froma browser), and see the output from the callback.

From the Webhook auth0 extension

The ‘Scheduled jobs/Secrets’ tab shows entries for AUTH0_* keys which i didnt explicitly set, what do they defaul to.

prashantT · April 13, 2017, 11:12am

There are several methods to protect access to webtasks, depending on the use case. To restrict calls made from a Hook, you can think of it as a machine-to-machine flow, and use the Client Credentials Grant. In essence, your webtask will be the ‘API’, with the Hook being the client. Take a look at the following documentation that may be of help:

nikhil.kartha · April 21, 2017, 2:59am

I was having trouble (submit button wouldnt respond)) copying a longish comment in markdown, hence replied to the email notification. Tried the inline editor, and splitting into multiple comments too.

nikhil.kartha · April 21, 2017, 3:01am

I have this webtask

//hello.js

var wt = require('webtask-tools');

function webtask(context, req, res) { 
    console.log("from hello");
    console.log("EVENT TYPE:" + context.data.type);

    res.writeHead(200, { 'Content-Type': 'text/html '});
    res.end('<h1>FROM HELLO</h1>');
}

module.exports = wt.auth0(webtask);

I Run it like this:

wt create hello.js  -s AUTH0_CLIENT_ID=XXXXX     -s AUTH0_CLIENT_SECRET=XXXXX  -s AUTH0_DOMAIN=XXXXX

nikhil.kartha · April 21, 2017, 3:02am

Configured auth0 webhook extension

Configured the autho API hook plugin with the AUTH0 ID, SECRET and DOMAIN, used in the ‘wt create’ call above.

LOGS (webhook and webtask)

I see this in the auth0 webhook extension logs:

12:13:07 PM: Unexpected response while sending request: {“code”:401,“message”:“Unauthorized.“,”error”:“Missing access token.“,”redirect”:“https://XXXXX-0.run.webtask.io/hello/login“}

And this in the webtask (wt logs):

[19:13:07.395Z]  INFO wt: finished webtask request 1492715587282.271021 with HTTP 401 in 89ms

nikhil.kartha · April 21, 2017, 3:03am

Why isnt the webhook sending an access token in its request.

nikhil.kartha · April 21, 2017, 7:01am

The current auth0/webhook extension does a plain POST to the webtask(webhook_url), the auth0 creds are only used to get the logs from auth0.

We could probably move the webtask(which deletes refresh tokens) to the point where a POST is done in the webhook, or we could modify the POST to do oauth. But we dont want to maintain our own version of the extension.

I guess what we want is a version of the webhook extension, that speaks oauth with the WEBHOOK_URL.

Glenn_Block · March 8, 2018, 12:40am

This blog post may be useful: https://auth0.com/blog/securing-webtasks-part-2-using-middleware/

Topic		Replies	Views
Call webtask from nodejs Help	2	3298	August 10, 2019
Authenticate calls from auth0 hooks to my server Help hooks	2	5161	May 26, 2020
Unable to verify jwt generated by auth0 Help token , jwt , webtask , auth0js	6	12816	March 2, 2018
Webtask credentials for deployment pipeline Help deployment , webtask , hooks , tokens	2	4497	March 2, 2018
Unable to setup auth0/webtask cli Help webtask , cli	4	4203	August 19, 2019