How to get a JWT from Auth0 hosted login

2
votes

According to the "tutorial" (the docs themseleves say nothing) Auth0 should set a JWT for me on login, but it's not clear what it means by this. How do I get that JWT?

We already have a login flow in place that uses a hosted page that is accessed through a CNAME CNAME.example.com. Following this process:

  1. I go to example.com/login
  2. I am redirected to the CNAME CNAME.example.com/authorize?...
  3. Then again to CNAME.example.com/login
  4. Username and Password are POSTed to CNAME.example.com/usernamepassword/login
  5. This returns a form containing the JWT and automatically POSTs to CNAME.example.com/login/callback
  6. This then redirects back to our main site example.com/langing-page but the JWT is not received here.

Because it's a CNAME, Auth0 would be able to set an HTTP Only, Secure cookie for our domain, that would be enough.

I've only just jumped on this project and understand that if it was built from scratch we could use the API directly to get the JWT but I can't work out how to do it for the existing flow.

I'm sure we're missing something simple, but the documentation is not forthcoming. Do I need to do a login via the API instead?

EDITED: To clarify the login flow exists and works using a hosted page on auth0, I need to get the JWT after the user has logged in.

MORE INFO: We're using the Auth0 WordPress Plugin which correctly logs us in as the right user (as well as helps us create new users) but does not seem to expose the JWT. That page does mention getting JWTs but refers to the deprecated wp-jwt-auth plugin

1
jwtauth0
Providing this as a comment because it's more questions than answers.Have in mind that a JWT is just a token format, so it's important to phrase this in terms of what token (intended usage) you're looking for. An OIDC authentication request results in an ID token (always a JWT); an OAuth 2.0 authorization request results in an access token (that can use JWT as the format). What type of token are you looking for? How is the current flow implemented? Are you using a library to implement that flow? If yes, which one. - João Angelo
We're using the Auth0 WordPress Plugin. github.com/auth0/wp-auth0 - DanielM
I see, that is a bit more than an SDK; it is meant to be configured and the outcome be an end-user authenticated into Wordpress. In other words, although the configuration does not hide the fact that the plugin uses OIDC/OAuth 2.0 to drive that authentication the general goal is still have an end-user authenticated. Why do you need direct access to an end-user JWT (ID token in this case as the plugin deals with authentication) in this scenario? - João Angelo
We're moving away from a WP monolith and bringing up microservices. The individual services also need to know the user has been authenticated. - DanielM
Who would be calling those API's (microservices) that I assume would require bearer access tokens (which can indeed be JWT's) as means to decide if the call is authorized or not? In particular, would the call be happening from the server-side or you would now have also micro browser-based (Javascript) applications running as part of the bigger Wordpress site? - João Angelo

1 Answers

2
votes

The links provided is for general information about JWT's; for accomplishing an authentication through Auth0 there are better suited documentation. In particular, you should start with the quickstarts (https://auth0.com/docs/quickstarts) to check if there's any that is directly associated with the application and stack you're building.

In addition to that, you can also check the docs associated more with protocol flows (assuming you want OIDC/OAuth 2.0): https://auth0.com/docs/api-auth/which-oauth-flow-to-use

The above should guide you about which flow to use and then for each you can follow the links to have a better understanding of how the flow can be implemented.

As an additional note the /login endpoint should be treated as an implementation detail; for OIDC/OAuth 2.0 you need to start the request at /authorize.