Authenticating with OAuth Protocol

Security Requirements and Controls

OAuth is an open standard that may be used to grant access to LogScale to applications and others without giving them your password.

LogScale supports the OAuth 2.0 login flow for the following providers:

  • Google Sign-In

  • GitHub Sign-In

  • BitBucket Sign-In

Providers must be configured on the LogScale server, as seen in the section for each provider.

You can enable several providers at the same time by setting multiple provider configurations.

Before you get started you must create OAuth Apps with the provider and get client_id and client_secret, and configure your redirect_uri.

In order for OAuth authentication to work properly you must provide a URL where LogScale can be reached from the browser, see the configuration option PUBLIC_URL.

Create a LogScale App

You should create an Auth0 Regular Web App specifically for LogScale. Once the application is created you will need to set up properties.

Find your application's configuration. Under the application's Settings page please take note of the following details * Domain * Client ID * Client Secret These settings are needed for LogScale's settings. You will also have to change some variables in LogScale's configuration file:

ini
AUTHENTICATION_METHOD=auth0
AUTH0_DOMAIN=$YOUR_AUTH0_DOMAIN
AUTH0_CLIENT_ID=$YOUR_CLIENT_ID
AUTH0_CLIENT_SECRET=$YOUR_CLIENT_SECRET
PUBLIC_URL=$YOUR_SERVERS_BASE_URL

See the Configuration Parameters reference section to learn how to set these and other variables for your LogScale cluster.

Map Auth0 Roles

Using the Auth0 Authorization Extension you can define Auth0 roles and map them to LogScale groups. For details on how groups work in LogScale see Authorization.

The users/roles defined at top-level in the Auth0 dashboard do not work with this. This only works for users/roles defined inside the Auth0 authorization Extension, which is found in the left side Extensions menu item.

The Auth0 Authorization Extension requires an Auth0 Rule of its own installed to work, and additionally you need to create a rule to copy the roles into the token returned by Auth0 to LogScale. This additional rule could look like this

js
// rule to copy user's roles into the returned token
function (user, context, callback) {
  const assignedRoles = (context.authorization 
| 
| {}).roles;
  context.idToken["https://auth0-example.humio.com/roles"] = assignedRoles;
  callback(null, user, context);
}

The attribute https://auth0-example.humio.com/roles in this example is the user-configurable attribute that will hold the Auth0 roles. If you configure AUTH0_ROLES_KEY=https://auth0-example.humio.com/roles (in LogScale) and add the above Auth0 Rule in the Auth0 dashboard, the assigned roles are transferred to humio in the AWT token and are made available to LogScale. If AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN is not set, then users must already have been created inside LogScale's UI.

ini
AUTO_CREATE_USER_ON_SUCCESSFUL_LOGIN=true
AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN=true

The property AUTO_UPDATE_GROUP_MEMBERSHIPS_ON_SUCCESSFUL_LOGIN controls that group membership rules in LogScale are transferred upon login. When deleting a user or changing access rights in Auth0, changes are not reflected until you log into LogScale again.