Skip to main content

Secure a Web App Using Auth0

About 3 min

Enable SSO and Granular Access Control For A Header-Based Web App with Auth0


In this tutorial, we will use the Datawiza Access Proxy (DAP) to enable SSO and granular access control for a header-based web App. The IdP we will use is Auth0. We will use DAP's side deployment mode, which means DAP and this app are running on the same server.

  • The application will run on localhost:3001.
  • The DAP will run on localhost:9772, which means the traffic to the app will reach DAP (running on port 9772) first and then be proxied to the application (running on port 3001).
  • We will provide the docker images for the DAP and this header-based application.

Part I: Auth0 Configuration

You will need to register an OIDC application in Auth0 management portal and get the following values for this application:

  • Domain
  • Client ID
  • Client Secret

These values will later be used to set up Datawiza Access Proxy in Datawiza Cloud Management Console. Please follow IdP Configuration Guide: Auth0 instructions on how to get those keys/values.

Part II: Create Application on Datawiza Cloud Management Console (DCMC)

You need to create an application and generate a keypair of (PROVISIONING_KEY, PROVISIONING_SECRET) for this app on the DCMC.

Please follow Step2 : Datawiza Cloud Management Console to configure.

Part III: Run DAP With a Header-Based Application

You can use either Docker or Kubernetes to run DAP. The following is an example docker-compose.yml file. To download the images of the Access Proxy and header-based app, you will need to login to our container registry.

See Step3 : Configure DAP and SSO Integration for more details or Deploy DAP with Kubernetes for Kubernetes-specific instructions.

version: '3'

    container_name: datawiza-access-proxy
    restart: always
      - "9772:9772"
      PROVISIONING_KEY: #############################
      PROVISIONING_SECRET: #############################

    container_name: ab-demo-header-app
    restart: always
      - "3001:3001"

After executing docker-compose -f docker-compose.yml up, the header-based app should have SSO enabled with Auth0. Open a browser and type in http://localhost:9772/. You should see the Auth0 login page as follows. Note that if you are already logged into Auth0 in your browser, you may need to logout to see the login page. Web App Auth0 SSO | DAP with Auth0

Part IV: Pass User Attributes to the Header-Based App

DAP gets user attributes from IdP and can pass the user attributes to the application via header or cookie.

Please follow the instructions of Step4 : Pass User Attributes to pass the user attributes to the header-based app, which is expecting:

  • email
  • firstname
  • lastname
  • groups

Because Auth0 default Authorization Coreopen in new window doesn't support group as of 11/13/2020, we set role instead of group here for test. You can also follow the instructions of Update user info by API(Optional) to add family name and given name to test user. Web App Auth0 SSO | Auth0 with DCMC attributesWeb App Auth0 SSO | Auth0 with DCMC attributesWeb App Auth0 SSO | Auth0 with DCMC attributes After successfully configuring the user attributes, you should see the green check sign for each of the user attributes as follows. Web App Auth0 SSO | Auth0 with DCMC attributes

Part V: Achieve Granular Access Control

You can configure access control to an application based on user's attributes (e.g., groups, department) and other metadata of a request (e.g., URL, IP, http method, access time).

Please reference Step5 : Achieve Granular Access Control for detailed instructions on how to set up access rules. You can practice the rule configuration using the following example.

A Rule Example

  1. Create a user in Auth0, put it in hr role, and then assign this person to your application on Auth0.
  2. Create the following two rules:
    • hr path can only be accessed by hr role.
    • sales path can only be accessed by sales role.
  3. Verify that the user you created can only access hr page in the header-based app, but cannot access sales page. Trying to access the header-based application on localhost:9772 in your browser, you should get something similar to the following screenshots. http://localhost:9772/hr: Auth0 Examplehttp://localhost:9772/sales: Auth0 Example Access Forbidden