Configuration issues

[lostie]

Hi, I've been trying to configure a Rails API 5.2 app with Knock (using Auth0) following the instructions and I got to a point that I was just getting a:

Filter chain halted as :authenticate_user rendered or redirected

Unfortunately there's no logging associated to any of the gems involved in this process so I had to dig in and try to investigate what was exactly happening. After some investigation I've found the actual error was:

    46: self.class.send(:define_method, getter_name) do                                                                                                                                           [337/1832]
    47:   unless instance_variable_defined?(memoization_var_name)
    48:     current =
    49:       begin
    50:         Knock::AuthToken.new(token: token).entity_for(entity_class)
    51:       rescue
 => 52:         binding.pry
    53:         nil
    54:       end
[5] pry(#<SecuredController>)> $!
=> #<JWT::InvalidAudError: Invalid audience>

More digging into why I was getting this error and I've found that the configuration for auth0 suggests to set the following in config/initializers/knock.rb:

  # If using Auth0, uncomment the line below
  config.token_audience = -> { Rails.application.credentials.auth0_client_id }

where the auth0_client_id is client_id associated with the client secret.

The sample SPA I've downloaded from the Auth0 tutorials (which has a /private link that performs an authenticated call to the API) has a different configuration for the audience:

    auth0 = new auth0.WebAuth({
      domain: AUTH_CONFIG.domain,
      clientID: AUTH_CONFIG.clientId,
      redirectUri: AUTH_CONFIG.callbackUrl,
      audience: AUTH_CONFIG.apiUrl, <<<<<<<<<<<<
      responseType: 'token id_token',
      scope: this.requestedScopes
    });

So when I was making that /private authenticated call from the SPA to the Rails API I was getting the following payload in the token:

=> {"iss"=>"https://<MY_DOMAIN>.eu.auth0.com/",
 "sub"=>"auth0|<USER_ID>",
 "aud"=>["http://localhost:3000/api", "https://<MY_DOMAIN>.eu.auth0.com/userinfo"],
 "iat"=>1544819740,
 "exp"=>1544826940,
 "azp"=>"<AUTH_CLIENT_ID>",
 "scope"=>"openid profile read:messages write:messages"}


From: /<HOME>/.rbenv/versions/2.5.3/lib/ruby/gems/2.5.0/gems/jwt-1.5.6/lib/jwt.rb @ line 125 JWT.decode:

but the server settings had the following:

[9] pry(JWT)> merged_options                                                                                                                                                                       [68/1832]
=> {:verify_expiration=>true,
 :verify_not_before=>true,
 :verify_iss=>false,
 :verify_iat=>false,
 :verify_jti=>false,
 :verify_aud=>true,
 :verify_sub=>false,
 :leeway=>0,
 :aud=>"<AUTH_CLIENT_ID>,
 :algorithm=>"RS256"}

So the aud configured in the server didn't match any of audience contained in payload aud causing the verification to fail and consequently the authentication as well.

Any thoughts on this? Am I missing something here?

After having the audiences matching, I now have the following error happening:

    46: self.class.send(:define_method, getter_name) do
    47:   unless instance_variable_defined?(memoization_var_name)
    48:     current =
    49:       begin
    50:         Knock::AuthToken.new(token: token).entity_for(entity_class)
    51:       rescue
    52:         binding.pry
 => 53:         nil
    54:       end
[1] pry(#<SecuredController>)> $!
=> #<ActiveRecord::RecordNotFound: Couldn't find User with 'id'=auth0|<USER_ID>>

Is this expected? Is the user expected to already exist in my database and using as id the auth0 one? I was expecting this process to be the one to create the user itself.