OAuth with Auth0

LogScale offers integration with Auth0 for user authentication, requiring the "Change identity providers" permission to configure. While Auth0 provides extensive third-party identity provider support, users should consider data processing agreements and may opt for LogScale's built-in provider support for Google and GitHub to avoid storing personal data with third parties.

LogScale can be configured to authenticate users through Auth0. For more details on how Auth0 works with third-party identity providers and advanced usages, see the Auth0 documentation.

Auth0 keeps information about your users. This may require you to have a Data Processing Agreement with Auth0. If all you need is Google and GitHub, you can use LogScale's built-in support for several providers and avoid storing your users' personal data with a third-party provider.

Prerequisites for Auth0 configuration

Prior to performing the steps below, make sure that you have an Auth0 account.

Create an Auth0 Regular Web app

To create an app that is suitable to use with LogScale:

  1. In the Auth0 dashboard, go to Applications and click Applications.

    Screenshot of the Auth0 Dashboard navigation sidebar with the Applications option highlighted, showing where to begin the process of creating a new application

    Figure 105. Accessing Applications in the Auth0 Dashboard


  2. Click Create Application. Name the app and select Regular Web App. Click Save.

    Screenshot of the Auth0 application creation dialog showing the name field and application type selection, with Regular Web Applications highlighted as the required option for LogScale integration

    Figure 106. Creating a New Regular Web Application in Auth0


  3. After you have created the app, make sure you are in the app you created before continuing. Click the Addonscreate tab.

    Screenshot of the Auth0 application settings page with the Addons tab highlighted, showing where to configure additional features for the application after creation

    Figure 107. Configuring Addons for the Auth0 Application


  4. In order to avoid CSRF attacks you must set the Allowed Callback URLs field to %PUBLIC_URL%/auth/auth0, such as https://www.example.com/auth/auth0, where %PUBLIC_URL% is the value of the LogScale configuration option PUBLIC_URL.

Find your application's configuration. Under the application's Settings page take note of the Domain, Client ID, and Client Secret. These settings are needed to configure LogScale's settings.

Configure LogScale to authenticate with Auth0

Once you have configured Auth0 app, you must configure LogScale to authenticate with Auth0. To do this, you must add and edit some variables in LogScale's configuration file in humio-config.env. To learn more about setting configuration, see Configuration Settings.

Using Auth0 authentication for LogScale requires that you set the PUBLIC_URL configuration option. This environment variable and others that are required for Auth0 authentication are shown in this example:

ini
AUTHENTICATION_METHOD=auth0
  AUTH0_DOMAIN=$YOUR_AUTH0_DOMAIN
  AUTH0_CLIENT_ID=$YOUR_CLIENT_ID
  AUTH0_CLIENT_SECRET=$YOUR_CLIENT_SECRET
  PUBLIC_URL=$YOUR_SERVERS_BASE_URL

To have calls to the token endpoint for Auth0 use the cluster's HTTP proxy settings, add the AUTH0_USE_HTTP_PROXY configuration and set the value to true.

Map Auth0 Roles

Using the Auth0 Authorization Extension you can define Auth0 roles and map them to LogScale groups. For details on how groups work in LogScale see Authorization.

The users/roles defined at top-level in the Auth0 dashboard do not work with this. This only works for users/roles defined inside the Auth0 authorization Extension, which is found in the left side Extensions menu item.

The Auth0 Authorization Extension requires an Auth0 Rule of its own installed to work, and additionally you need to create a rule to copy the roles into the token returned by Auth0 to LogScale. This additional rule could look like this

js
// rule to copy user's roles into the returned token
  function (user, context, callback) {
    const assignedRoles = (context.authorization 
  | 
  | {}).roles;
    context.idToken["https://auth0-example.humio.com/roles"] = assignedRoles;
    callback(null, user, context);
  }

The attribute https://auth0-example.humio.com/roles in this example is the user-configurable attribute that will hold the Auth0 roles. If you configure AUTH0_ROLES_KEY=https://auth0-example.humio.com/roles (in LogScale) and add the above Auth0 Rule in the Auth0 dashboard, the assigned roles are transferred to humio in the AWT token and are made available to LogScale. If AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN is not set, then users must already have been created inside LogScale's UI.

ini
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true
  AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true

The property AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN controls that group membership rules in LogScale are transferred upon login. When deleting a user or changing access rights in Auth0, changes are not reflected until you log into LogScale again.