Authentication And Auth0 (Day 107)

Total hours: 221.483

Top three:

1) Auth0 Login CORS Issue

When you’re running on an http local server. Certain required POST features don’t work (except kinda in Chrome for 2 minutes). I ended up using a proxy which kinda solved the issue (thank goodness Auth0 has phenomenal documentation).

However I wasn’t able to solve it unfortunately. It turned out later that the issue is with using Custom pages w/ a custom domain. There needs to be some other code that’s changed. That’s an issue to figure out tomorrow.

2) Auth0 Domain Understanding

By default Auth0 uses it’s own tenant and that causes major issues with cookies and cross site cookies. Partially solved with using Caddy.

Also turns out (though not well documented anywhere) that Auth0 for custom domains will redirect to rooter domain if not part of an authorization flow. For example directly going to auth.mygaya.day will redirect to mygaya.day. Going to auth.somesite.mygaya.day will (if Auth0 was setup that number of domains deep) redirect to somesite.mygaya.day

3) Certificates working correctly now

One of the most important security considerations is preventing impersonation or allowing the operator to access a non secure version of the site. (Likely malicious as well). We can partially get around this by using DNSSEC along with HSTS. It turns out that .day domains are all already by default on HSTS. Trying to remove it isn’t possible.

Also regarding the fully loading of certificates, I needed to follow the Amazon article along with running the below commands:

• sudo ln -sf /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key
• sudo ln -sf /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt

Then resume service with sudo /opt/bitnami/ctlscript.sh start