How to secure Webtask.io webhook?

0
votes

I tried to going through the documentation provided by Webtask.io but not able to use webhook which is secured using Auth0.

I created Auth0 login app using nodejs and then tried to call webhook url but I am getting 401 error.

Following is the response which I got after logging in Auth0 application.

DcapxdbV35rBXQ9P { access_token: 'DcapxdbV35rBXQ9P', expires_in: 86400, id_token: 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoidGVjaCBpbmN1YmF0b3IiLCJlbWFpbCI6InRlY2hpbmN1YmF0b3IuaHNwbEBnbWFpbC5jb20iLCJlbWscFpbF92ZXJpZmllZCI6dHJ1ZSwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS8tWGRVSXFkTWtDV0EvQUFBQUFBQUFBQUkvQUFBscsacQUFBQUFBQUEvNDI1MnJzY2J2NU0vcGhvdG8uanBnIiwiaXNzIjoiaHR0cHM6Ly90ZWNoaW5jdWJhdG9yLmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwMzc5MTcwODM5Nzk5MjU0ODA4NiIsImF1ZCI6IkE4NEI5WEZVdHg3Z29jQk5FVnpueFBlbUdNTG9VUHdCIiwiZXhwIjoxNDg4NDE2NzQzLCJpYXQiOjE0ODgzODA3NDN9.lHyj0RszUhY0yaQ0QeTDNt0KYVMI_cRgy3Qp-x5lNnQ', token_type: 'Bearer' }

I used Authorization header and passed id_token value to it as 'Bearer + token' to call webhook.

Still I am not able to access webhook.

Could you please help?

1
jsonjwtwebhooksauth0
Could you check id_token? seems invalid because it contains no text datapedrofb

1 Answers

1
votes

Please can you explain your situation - are you saying you have a local node.js application and wish to call an API (no UI component) that is deployed as a Webtask? And you are trying to send a JWT Access Token from your local node.js application to this API endpoint?

The first issue I see with your response is that the access token is opaque - you would need an access token that is a JWT (Json Web Token)

To get this, you need to define an API in your Auth0 Dashboard - (if not already enabled, look under account settings -> advanced -> Enable APIs Section and ensure it is toggled ON). Define a new API, and give it any scopes if you are using these to secure your API endpoint. Then ensure that you add the audience attribute to the params you supply for login - Both Lock / auth0.js libraries support this attribute too if using them. The Audience value should be set to the Identifier attribute value you provided when defining your API in the Auth0 dashboard.

Suggest you read through the Auth0 Docs on API Authorization

In particular, Calling APIs from Server-side Web Apps for your node.js scenario. Once you have the required JWT Access Token, you would send that to your API endpoint using Authorization: Bearer {JWT TOKEN} header. Your API should read that JWT Access token, check it for validity (subject, expiration etc).

Let me know if this makes sense for you, and feel free to leave questions in the comments section below. Appreciate it can seem like a lot to take in the first time you go through the process, in reality it takes under 2 minutes to get this working.