Auth0 Configuration For Client Credentials Authentication

1.0 Introduction

This guide describes how to configure Auth0 as an OAuth 2.0 authorization server to enable machine-to-machine (M2M) authentication using the Client Credentials Flow for onboarding an Amazon Web Services (AWS) connection in Fortanix Key Insight.

Configuring Auth0 involves the following steps:

1. Create an M2M application (app) in Auth0.

2. Configure an API and define permissions (Scopes) in Auth0.

3. Obtain an access token from Auth0.

4. Onboard an AWS connection using the Client Credentials flow in Fortanix Key Insight.

2.0 Prerequisites

The following prerequisites are required to set up Auth0 for M2M authentication when onboarding an AWS connection in Fortanix Key Insight:

• Access to Fortanix Key Insight

• Access to an AWS account

• Access to an Auth0 tenant with permissions to create applications and APIs

• Basic knowledge of the OAuth 2.0 Client Credentials flow

3.0 Create a Machine-to-Machine Application in Auth0

Perform the following steps to create an M2M app in Auth0:

1. Log in to the Auth0 Dashboard.

2. Navigate to Applications → Applications.

3. Click Create Application.

4. In the Create Application dialog box,

   1. Enter a Name for the application.

   2. Select Machine-to-Machine Application.

   3. Click Create to add a new application.

   

5. In the Authorize Machine to Machine Application dialog box,

   1. Select an API from the drop down.

      or

      Click Cancel and create a new API first to add a new API. For more information, refer to Section 4.0: Configure an API and Scopes in Auth0.

   2. Each M2M app that accesses an API must be granted a set of permissions (or scopes) authorized by the authenticated user. For more information on how to add permissions, refer to Add API Permissions.

      Select the Permissions that you want to be included in your application’s access token.

   3. Click Authorize.

      

6. After the new app is created, you will be directed to the app’s details page. Under the Settings tab, copy the Client ID, Client secret, and Domain values. You will need these values later in the Fortanix Key Insight UI when setting up an IdP configuration for the AWS connection using the Client Credentials flow.

   For more information on setting up an IdP configuration using the Client Credentials flow during AWS connections onboarding, refer to Getting Started with Cloud Connection.

   NOTE

   The Well-Known URL has the format: https://<Domain ID>/.well-known/oauth-authorization-server.

   Where, <Domain ID> is the value of the Domain from the app’s Settings page.

   

4.0 Configure an API and Scopes in Auth0

Perform the following steps to configure an API and scopes in Auth0:

1. Navigate to Applications → APIs. You will see the default system API (Auth0 Management API) in the list.

2. Click Create API to add a new API.

3. In the Create API dialog box, configure the following:

   1. Name: Enter the API name.

   2. Identifier: A unique identifier for the API. Enter the value KI-Scanner to ensure successful authorization during onboarding in Fortanix Key Insight.

      NOTE

      • This value will be used as the audience parameter in authorization (token) requests.

      • Once the API has been created, the Identifier cannot be changed.

   3. JSON Web Token (JWT) Profile: The profile used when issuing access tokens for this API. Select Auth0 from the drop down list.

   4. JSON Web Token (JWT) Signing Algorithm:  The algorithm used to sign access tokens issued for this API. Select RS256 from the drop down list.

   5. Click Create to add the new API.

   

4. After adding the API,

   1. Implement the changes described in the Quickstart tab. These involve selecting a JWT library from the redefined list and configuring it to validate the access tokens in your API.

   2. Add scopes (permissions), if required, in the API details Permissions tab.  For more information on how to add permissions, refer to Add API Permissions.

   The new API will be listed in the Authorize Machine to Machine Application dialog box during app creation.

5.0 Obtain a JWT Access Token from Auth0

Perform the following steps to obtain a JWT access token from Auth0:

1. Gather the following information:

   • Client ID and Client Secret from your Auth0 machine-to-machine application.

   • API Audience (the Identifier of the API you created in Auth0).

2. Run the following cURL command to obtain an access token: Ensure to replace the placeholder parameters (<…>) with the actual values.

   Curl --request POST \
     --url https://<your-auth0-domain>/oauth/token \
     --header 'content-type: application/json' \
     --data '{
       "client_id":"<YOUR_CLIENT_ID>",
       "client_secret":"<YOUR_CLIENT_SECRET>",
       "audience":"<YOUR_API_IDENTIFIER>",
       "grant_type":"client_credentials"
     }'

3. The response includes a JWT access token.

   Example:

   {
     "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
     "token_type": "Bearer"
   }

This confirms that the Client Credentials flow is working correctly.

6.0 Onboard an AWS Connection with Client Credentials Flow

After completing the Auth0 configuration, provide the following details in Fortanix Key Insight when onboarding the AWS connection using the Client Credentials flow:

• Client ID

• Client Secret

• Well-known URL

• Scopes (If any custom scopes were created in Auth0)

For more information on setting up an IdP configuration using the Client Credentials flow during AWS connections onboarding, refer to Getting Started with Cloud Connection.