Update Auth0 documentation

[wdesouza]

I am trying to figure out how to configure a working example of GA4GH server with Auth0 authentication service. I am using the latest release version (0.3.5). Because Auth0 service should be configured via web browser, I created a step-by-step tutorial with my progress. I think the following pictures and text may help others. The problem I found is at the end of this text.

Follow the Deployment on Apache instructions to install the reference implementation server.

At Apache configuration, you should use the root path instead of /ga4gh because the server is using absolute path when redirecting web address.

WSGIDaemonProcess ga4gh \
    processes=10 threads=1 \
    python-path=/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages \
    python-eggs=/var/cache/apache2/python-egg-cache
WSGIScriptAlias / /srv/ga4gh/application.wsgi

<Directory /srv/ga4gh>
    WSGIProcessGroup ga4gh
    WSGIApplicationGroup %{GLOBAL}
    Require all granted
</Directory>

Configuring Auth0 service

First login or sign up in Auth0 website: https://auth0.com/

Creating Client

On tab Client click in Create Client. Give a name for your Client and choose the Non Interactive Clients client type. Click Create.

In Settings tab copy the Domain, Client ID and Client Secret data.

These data will be used to set the following server configuration values (reference):

• AUTH0_HOST with Domain;
• AUTH0_CLIENT_ID with Client ID;
• AUTH0_CLIENT_SECRET with Client Secret.

Fill Allowed Callback URLs, Allowed Logout URLs and Allowed Origins (CORS) with the web address of server endpoint plus the related path.

Creating API

Go to APIs tab and click in Create API. The Identifier should be the URL of server endpoint (the landing page). For this example I am using root path and TCP port 80.

On Scopes tab, create two scopes: openid and email.

On Non Interactive Clients tab, authorize the previous created Client. Select both scopes openid and email. Click Update then Continue.

Creating Database Connections

Go to Connections-Database tab and click Create DB Connection. I disabled sign ups because I want to have control over user creation allowing only certain people/software to have access on server.

In Clients tab, activate the connection between the Client and the Database.

Creating Users

Go to Users tab and click Create User. Fill the fields. Connection should be same one previously created. An email will be send requesting to verify. I recommend creating your own user for testing purposes.

Setting up GA4GH server with authentication

Append the following server configuration values to config.py file (reference). Remember to update the fields correctly. Create a SECRET_KEY. I didn’t understand the field AUTH0_AUTHORIZED_EMAILS. I just used the same email I used to login into Auth0 website.

AUTH0_ENABLED = True
SECRET_KEY = "super_secret"
AUTH0_SCOPES = "openid email"
AUTH0_CALLBACK_URL = "http://192.168.0.5/callback"
AUTH0_HOST = "USER.auth0.com"
AUTH0_CLIENT_ID = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
AUTH0_CLIENT_SECRET = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
AUTH0_AUTHORIZED_EMAILS = "name@host.com"

Restart the server.

Testing

Finally access server landing page. It will show an error and a link to login. At login page, use the same email and password used to create a user. Note that it does not have an option to create a user (it can be changed).

After login you will see the token page.

Issues

• After the login success, the server is redirecting to the same login page. It repeats over and over. I expected to see the token string. In the Apache access log I found this:

192.168.0.6 - - [10/Feb/2017:09:56:37 -0800] "GET /login HTTP/1.1" 200 576 "http://192.168.0.5/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
192.168.0.6 - - [10/Feb/2017:09:56:43 -0800] "GET /callback?code=gVCDNDap9fffMMIb HTTP/1.1" 302 463 "http://192.168.0.5/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
192.168.0.6 - - [10/Feb/2017:09:56:48 -0800] "GET /login HTTP/1.1" 200 575 "http://192.168.0.5/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

It seems that Auth0 returned access token to /callback but it redirected to /login again. It happens sometimes requiring to restart Apache server.

• Testing programmatic access raises unauthorized error messages.

Using ga4gh_client tool:

ga4gh_client --auth0-token <token> datasets-search http://192.168.0.5/

ERROR:ga4gh.client.client:401 {"errorCode": 1430394319, "message": "Not authenticated. Use the key on the server index page."}
Traceback (most recent call last):
  File "ga4gh-server-env/bin/ga4gh_client", line 9, in <module>
    load_entry_point('ga4gh-client==0.6.0a9', 'console_scripts', 'ga4gh_client')()
  File "/srv/ga4gh/ga4gh-server-env/local/lib/python2.7/site-packages/ga4gh/client/cli.py", line 1682, in client_main
    raise exception
ga4gh.client.exceptions.RequestNonSuccessException: Url http://192.168.0.5/?key=invalid had status_code 401

Using --key argument does not work.

Using Python library (reference):

from ga4gh.client import client
key = "<token>"
c = client.HttpClient("http://192.168.0.5/", id_token=key)
c.search_datasets().next()

Error:

ERROR:ga4gh.client.client:401 {"errorCode": 1430394319, "message": "Not authenticated. Use the key on the server index page."}
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/srv/ga4gh/ga4gh-server-env/local/lib/python2.7/site-packages/ga4gh/client/client.py", line 58, in _run_search_request
    protocol_request, object_name, protocol_response_class)
  File "/srv/ga4gh/ga4gh-server-env/local/lib/python2.7/site-packages/ga4gh/client/client.py", line 820, in _run_search_page_request
    self._check_response_status(response)
  File "/srv/ga4gh/ga4gh-server-env/local/lib/python2.7/site-packages/ga4gh/client/client.py", line 805, in _check_response_status
    response.url, response.status_code))
ga4gh.client.exceptions.RequestNonSuccessException: Url http://192.168.0.5/datasets/search had status_code 401

[david4096]

Thanks @Welliton309 for putting together such a detailed set of instructions! Auth0 was in the process of testing the API based non-interactive clients features and I haven't tried them out.

The AUTH0_AUTHORIZED_EMAILS are email addresses that you have authorized to access data in the server. You can set up Google OIDC, but you don't want any Google user to be able to log in, so you add only the authorized emails to that list.

It sounds a bit like that is what is going wrong, the callback code does looks well formed, but you're being redirected to the /login with a code. If the request is authorized the callback session gets redirected to printing out the login code. https://github.com/ga4gh/server/blob/master/ga4gh/server/auth/__init__.py#L156

Are you trying to log in using an email in the authorized users list? The returned information about the email used to perform the login attempt has to match what is in the local configuration.

[wdesouza]

I have used the same email. I tested again and it worked! I don't known what happened. I got the API Token web page. The link to landing page worked very well 😄

The Apache access log:

192.168.0.6 - - [14/Feb/2017:04:05:43 -0800] "GET / HTTP/1.1" 200 409 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
192.168.0.6 - - [14/Feb/2017:04:05:53 -0800] "GET /login HTTP/1.1" 200 575 "http://192.168.0.8/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
192.168.0.6 - - [14/Feb/2017:04:06:05 -0800] "GET /callback?code=fK6iNjbADATr340s HTTP/1.1" 302 1528 "http://192.168.0.8/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
192.168.0.6 - - [14/Feb/2017:04:06:07 -0800] "GET /login?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6IndlbGwzMDlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImlzcyI6Imh0dHBzOi8vd2VsbGl0b24uYXV0aDAuY29tLyIsInN1YiI6ImF1dGgwfDU4OWRmMjVlMjQ0Y2NiNzRmODlmMmI4YiIsImF1ZCI6ImV3Y1RybHlQVlhPS2dWMmM2VE1WMWkwdmxOaXdUekJOIiwiZXhwIjoxNDg3MTA5OTY2LCJpYXQiOjE0ODcwNzM5NjZ9.xe9x6wB7HBZXCUByiLaGkU6tNrsep335lYmQNOs4_EE HTTP/1.1" 200 816 "http://192.168.0.8/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

It seems that the token size has been changed and the server redirected to /login page with the token. I will try to reproduce all steps and update the tutorial.

[david4096]

Thanks, we would happily incorporate any of your tutorial into our docs!

[wdesouza]

@david4096 feel free to use this tutorial :)

I updated with more information and pictures. Now I am trying to retrieve data from server.

[david4096]

Great, I changed the title. We'll close this issue once we've updated our documentation using your screenshots. Thanks!

[wdesouza]

@david4096 I'd like you to wait until I can access the data. There may still be settings to make on the Auth0 page.

[wdesouza]

Unfortunately it is not working. It seems that the GA4GH server only accept connection to base URL. When trying to access another resource such as search for data sets the server raises the "Not authenticated. Use the key on the server index page." Basically I am running this:

from ga4gh.client import client
key = "<key from login page>"
c = client.HttpClient("http://192.168.0.8/", id_token=key)
c.search_datasets().next()

Anyone have any idea for tracking this problem?

[david4096]

Are there any more details of the error message?

In order to control for issues in the client, could you try it as a cURL request (replacing my key for yours)?

curl -X POST --data '{}' -H 'Content-Type: application/json' -H 'Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImRhdmlkY3NAdWNzYy5lZHUiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiaXNzIjoiaHR0cHM6Ly9kYXZpZDQwOTYuYXV0aDAuY29tLyIsInN1YiI6Imdvb2dsZS1vYXV0aDJ8MTAxNDYyMDk4NDkxMDIwNzU4NDcxIiwiYXVkIjoiN1B5VDVlUVJSZGFTeGdNNGhFWXowNHd6bmNOaVhwcUgiLCJleHAiOjE0ODE4ODE5NjUsImlhdCI6MTQ4MTg0NTk2NX0.t0e-1Ij0gGrmP0CKv_ymKsy_wvdTWfLtr5-257jRQ7aA' http://localhost:8000/datasets/search

Let me know the details of the error returned please!

It seems like the flow with Auth0 of getting a token for your login works as expected. However, protected endpoints inspect the Authorization header before accessing data and something is going wrong there.

• The copied key does not match what has been stored in the cache.
• Is the cache valid for that email? (Try removing your cache rm -f /tmp/ga4gh)
• Is the UI returning a string that can't be copy-pasted properly? (Visual inspection?)

[wdesouza]

I did the following steps:

1. Checked the Auth0 configurations (according to tutorial);
2. Deleted /tmp/ga4gh and Apache logs;
3. Restarted Apache;
4. Entered homepage;
5. Clicked in login link;
6. Signed in using the user created in Auth0 (the same email in config.py file);
7. Copied the key from login page;
8. Clicked in landing page link (I saw the default home page, the URL: http://192.168.0.8/?key=<same_token_from_login>);
9. Executed curl command line:

curl -X POST --data '{}' -H 'Content-Type: application/json' -H 'Authorization: bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6IndlbGwzMDlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL3dlbGxpdG9uLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OGFiMDYzMTgyYjBjYTA3NzQ2M2VhM2IiLCJhdWQiOiI1RkZMZWpud2hkeERWZHVEUHdONzFnc3FGWTNxbWlDUSIsImV4cCI6MTQ4Nzg1MTYwMywiaWF0IjoxNDg3ODE1NjAzfQ.XBymadpZydRp1-K2bcPYaj5ciNqR6wP8ns2TJnM5rls' http://192.168.0.8/datasets/search 

It returned:

{"errorCode": 1430394319, "message": "Not authenticated. Use the key on the server index page."}

The access.log file:

192.168.0.8 - - [22/Feb/2017:18:06:31 -0800] "GET / HTTP/1.1" 200 409 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.0.8 - - [22/Feb/2017:18:06:35 -0800] "GET /login HTTP/1.1" 200 577 "http://192.168.0.8/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.0.8 - - [22/Feb/2017:18:06:41 -0800] "GET /callback?code=1hrHmDg2jNv1IMHl HTTP/1.1" 302 1533 "http://192.168.0.8/login" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.0.8 - - [22/Feb/2017:18:06:44 -0800] "GET /login?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6IndlbGwzMDlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL3dlbGxpdG9uLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OGFiMDYzMTgyYjBjYTA3NzQ2M2VhM2IiLCJhdWQiOiI1RkZMZWpud2hkeERWZHVEUHdONzFnc3FGWTNxbWlDUSIsImV4cCI6MTQ4Nzg1MTYwMywiaWF0IjoxNDg3ODE1NjAzfQ.XBymadpZydRp1-K2bcPYaj5ciNqR6wP8ns2TJnM5rls HTTP/1.1" 200 815 "http://192.168.0.8/login" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.0.8 - - [22/Feb/2017:18:06:58 -0800] "GET /?key=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6IndlbGwzMDlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL3dlbGxpdG9uLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OGFiMDYzMTgyYjBjYTA3NzQ2M2VhM2IiLCJhdWQiOiI1RkZMZWpud2hkeERWZHVEUHdONzFnc3FGWTNxbWlDUSIsImV4cCI6MTQ4Nzg1MTYwMywiaWF0IjoxNDg3ODE1NjAzfQ.XBymadpZydRp1-K2bcPYaj5ciNqR6wP8ns2TJnM5rls HTTP/1.1" 200 1842 "http://192.168.0.8/login?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6IndlbGwzMDlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL3dlbGxpdG9uLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OGFiMDYzMTgyYjBjYTA3NzQ2M2VhM2IiLCJhdWQiOiI1RkZMZWpud2hkeERWZHVEUHdONzFnc3FGWTNxbWlDUSIsImV4cCI6MTQ4Nzg1MTYwMywiaWF0IjoxNDg3ODE1NjAzfQ.XBymadpZydRp1-K2bcPYaj5ciNqR6wP8ns2TJnM5rls" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.0.8 - - [22/Feb/2017:18:06:59 -0800] "GET /static/favicon.ico HTTP/1.1" 200 1524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0"
192.168.0.8 - - [22/Feb/2017:18:07:40 -0800] "POST /datasets/search HTTP/1.1" 401 246 "-" "curl/7.47.0"

The error.log file (server debug activated):

[Wed Feb 22 18:03:22.978982 2017] [wsgi:warn] [pid 3363:tid 139871544747904] mod_wsgi: Compiled for Python/2.7.11.
[Wed Feb 22 18:03:22.979026 2017] [wsgi:warn] [pid 3363:tid 139871544747904] mod_wsgi: Runtime using Python/2.7.12.
[Wed Feb 22 18:03:23.005393 2017] [mpm_event:notice] [pid 3363:tid 139871544747904] AH00489: Apache/2.4.18 (Ubuntu) mod_wsgi/4.3.0 Python/2.7.12 configured -- resuming normal operations
[Wed Feb 22 18:03:23.005471 2017] [core:notice] [pid 3363:tid 139871544747904] AH00094: Command line: '/usr/sbin/apache2'
[Wed Feb 22 18:06:32.746432 2017] [wsgi:error] [pid 3369:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:06:32.989907 2017] [wsgi:error] [pid 3369:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:32.989928 2017] [wsgi:error] [pid 3369:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:06:32.989933 2017] [wsgi:error] [pid 3369:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:32.989936 2017] [wsgi:error] [pid 3369:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:32.989968 2017] [wsgi:error] [pid 3369:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:33.056617 2017] [wsgi:error] [pid 3369:tid 139871440754432] None
[Wed Feb 22 18:06:36.080913 2017] [wsgi:error] [pid 3375:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:06:36.277563 2017] [wsgi:error] [pid 3375:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:36.277604 2017] [wsgi:error] [pid 3375:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:06:36.277609 2017] [wsgi:error] [pid 3375:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:36.277613 2017] [wsgi:error] [pid 3375:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:36.277667 2017] [wsgi:error] [pid 3375:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:42.182854 2017] [wsgi:error] [pid 3367:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:06:42.409327 2017] [wsgi:error] [pid 3367:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:42.409350 2017] [wsgi:error] [pid 3367:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:06:42.409354 2017] [wsgi:error] [pid 3367:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:42.409367 2017] [wsgi:error] [pid 3367:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:42.409409 2017] [wsgi:error] [pid 3367:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:42.459639 2017] [wsgi:error] [pid 3367:tid 139871440754432] INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): welliton.auth0.com
[Wed Feb 22 18:06:43.552441 2017] [wsgi:error] [pid 3367:tid 139871440754432] INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): welliton.auth0.com
[Wed Feb 22 18:06:45.827757 2017] [wsgi:error] [pid 3366:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:06:46.105052 2017] [wsgi:error] [pid 3366:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:46.105077 2017] [wsgi:error] [pid 3366:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:06:46.105081 2017] [wsgi:error] [pid 3366:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:46.105084 2017] [wsgi:error] [pid 3366:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:46.105117 2017] [wsgi:error] [pid 3366:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:59.031819 2017] [wsgi:error] [pid 3371:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:06:59.263452 2017] [wsgi:error] [pid 3371:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:59.263477 2017] [wsgi:error] [pid 3371:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:06:59.263481 2017] [wsgi:error] [pid 3371:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:59.263483 2017] [wsgi:error] [pid 3371:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:06:59.263514 2017] [wsgi:error] [pid 3371:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:06:59.338664 2017] [wsgi:error] [pid 3371:tid 139871440754432] eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6IndlbGwzMDlAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJpc3MiOiJodHRwczovL3dlbGxpdG9uLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OGFiMDYzMTgyYjBjYTA3NzQ2M2VhM2IiLCJhdWQiOiI1RkZMZWpud2hkeERWZHVEUHdONzFnc3FGWTNxbWlDUSIsImV4cCI6MTQ4Nzg1MTYwMywiaWF0IjoxNDg3ODE1NjAzfQ.XBymadpZydRp1-K2bcPYaj5ciNqR6wP8ns2TJnM5rls
[Wed Feb 22 18:07:00.469668 2017] [wsgi:error] [pid 3372:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:07:00.647614 2017] [wsgi:error] [pid 3372:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:07:00.647635 2017] [wsgi:error] [pid 3372:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:07:00.647638 2017] [wsgi:error] [pid 3372:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:07:00.647641 2017] [wsgi:error] [pid 3372:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:07:00.647669 2017] [wsgi:error] [pid 3372:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:07:41.098633 2017] [wsgi:error] [pid 3370:tid 139871440754432] INFO:rdflib:RDFLib Version: 4.2.1
[Wed Feb 22 18:07:41.297001 2017] [wsgi:error] [pid 3370:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:07:41.297025 2017] [wsgi:error] [pid 3370:tid 139871440754432] INFO in extension [/srv/ga4gh/ga4gh-server-env/lib/python2.7/site-packages/flask_cors/extension.py:81]:
[Wed Feb 22 18:07:41.297033 2017] [wsgi:error] [pid 3370:tid 139871440754432] Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}
[Wed Feb 22 18:07:41.297036 2017] [wsgi:error] [pid 3370:tid 139871440754432] --------------------------------------------------------------------------------
[Wed Feb 22 18:07:41.297071 2017] [wsgi:error] [pid 3370:tid 139871440754432] INFO:ga4gh.server.frontend.cors:Configuring CORS with resources: {'/*': {'automatic_options': True, 'allow_headers': [u'Content-Type'], 'send_wildcard': False, 'intercept_exceptions': True, 'origins': ['.*'], 'vary_header': True, 'supports_credentials': False, 'resources': '/*', 'methods': 'DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT'}}

First log from Auth0 (successful login):

{
  "date": "2017-02-23T02:06:41.169Z",
  "type": "s",
  "connection": "GA4GH-DB",
  "connection_id": "con_DqcVqeGQ5HLiz2Z6",
  "client_id": "5FFLejnwhdxDVduDPwN71gsqFY3qmiCQ",
  "client_name": "GA4GH Client Dev",
  "ip": "177.103.16.184",
  "user_agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0",
  "details": {
    "prompts": [
      {
        "name": "authenticate",
        "initiatedAt": 1487815600879,
        "completedAt": 1487815601162,
        "timers": {},
        "performed_acr": [],
        "performed_amr": [],
        "elapsedTime": 283
      }
    ],
    "initiatedAt": 1487815600871,
    "completedAt": 1487815601166,
    "elapsedTime": 295,
    "stats": {
      "loginsCount": 31
    }
  },
  "user_id": "auth0|58ab063182b0ca077463ea3b",
  "user_name": "<authorized_email>",
  "strategy": "auth0",
  "strategy_type": "database",
  "auth0_client": {
    "name": "lock.js",
    "version": "10.0.2",
    "lib_version": "7.0.3"
  }
}

Second log from Auth0 (successful exchange):

{
  "date": "2017-02-23T02:06:43.488Z",
  "type": "seacft",
  "description": "",
  "connection_id": "",
  "client_id": "5FFLejnwhdxDVduDPwN71gsqFY3qmiCQ",
  "client_name": "GA4GH Client Dev",
  "ip": "177.103.16.184",
  "user_agent": "python-requests/2.7.0 CPython/2.7.12 Linux/4.4.0-63-generic",
  "user_id": "",
  "user_name": ""
}

Let me know if there are any other log files that might help.

[david4096]

Thanks that's very helpful!

Given that the exchange with Auth0 is working and I believe some id_token is in the cache, my guess is something is going wrong here. The authorization token is decoded using the client_id and secret in order to authenticate the request. Perhaps it is suggesting the token is not present in the header in the expected way.

The other possibility is here. Do you have the OIDC configured as well? It should leave that function if the OIDCClient is None, which it will be as long as the configuration setting OIDC_PROVIDER isn't set.

[wdesouza]

I didn't set an OIDC_PROVIDER. In Auth0 API configuration I added the "openid" and "email" scopes. Then I authorized the Client to use these two scopes (as showed in the "Creating API" section of the tutorial). My config.py file:

DATA_SOURCE = "/srv/ga4gh/ga4gh-example-data/registry.db"
AUTH0_ENABLED = True
SECRET_KEY = "super_secret"
AUTH0_SCOPES = "openid email"
AUTH0_CALLBACK_URL = "http://192.168.0.8/callback"
AUTH0_HOST = "welliton.auth0.com"
AUTH0_CLIENT_ID = "5FFLejnwhdxDVduDPwN71gsqFY3qmiCQ"
AUTH0_CLIENT_SECRET = "igm8Pz_8T7moT0V_8jBOp_PeFe9rqqKBu9KYD2jfrF1kJBFu1tTAxpl-KzJ1oJEU"
AUTH0_AUTHORIZED_EMAILS = "<authorized_email>"
DEBUG = True

[david4096]

@Welliton309 I just tried this with my credentials, which I include for testing and was able to get it to work.

Then I tried creating a new app and it seems like they have changed the formatting of the keys.

If you'd like to start up a server with these credentials (over some non-protected data!), it would help me to be certain this is the problem. This application was created before their changes and is apparently grandfathered into the old style.

    AUTH0_ENABLED = True
    SECRET_KEY = "super_secret"
    AUTH0_SCOPES = "openid email"
    AUTH0_CALLBACK_URL = "http://localhost:8000/callback"
    AUTH0_HOST = "david4096.auth0.com"
    AUTH0_CLIENT_ID = "7PyT5eQRRdaSxgM4hEYz04wzncNiXpqH"
    AUTH0_CLIENT_SECRET = \
        "2OkzpU7LMYMllXf7cd027WFcbBpb4b_p3iNRaUfsYOQgxiYM_puwRxCddCRy_RtV"
    AUTH0_AUTHORIZED_EMAILS = "davidcs@ucsc.edu,your@email.com"

I believe all new created apps at Auth0 will have the new formatting. Related https://auth0.com/forum/t/client-secret-stored-without-base64-encoding/4338

The fix is quite simple, remove the b64decode of the client secret. I'll issue a PR for this. Such are the woes of supporting a third party service!