Configure JWT with Auth0
Auth0 is a powerful authentication and authorization service provider that can be integrated with Platformatic DB through JSON Web Tokens (JWT) tokens.
When a user is authenticated, Auth0 creates a JWT token with all necessary security informations and custom claims (like the
X-PLATFORMATIC-ROLE, see User Metadata) and signs the token.
Platformatic DB needs the correct public key to verify the JWT signature.
The fastest way is to leverage JWKS, since Auth0 exposes a JWKS endpoint for each tenant.
Given a Auth0 tenant's
issuer URL, the (public) keys are accessible at
For instance, if
https://dev-xxx.us.auth0.com/, the public keys are accessible at
To configure Platformatic DB authorization to use JWKS with Auth0, set:
Note that specify
allowedDomains is critical to correctly restrict the JWT that MUST be issued from one of the allowed domains.
Custom Claim Namespace
In Auth0 there are restrictions about the custom claim that can be set on access tokens. One of these is that the custom claims MUST be namespaced, i.e. we cannot have
X-PLATFORMATIC-ROLE but we must specify a namespace, e.g.:
To map these claims to user metadata removing the namespace, we can specify the namespace in the JWT options:
With this configuration, the
https://platformatic.dev/X-PLATFORMATIC-ROLE claim is mapped to
X-PLATFORMATIC-ROLE user metadata.