Authentication Plugin Guide
Authentication and authorization are crucial components of your Amplication service. This guide will help you implement secure user authentication using Amplication's authentication plugins.
Enable Authentication
Make sure you have an Authentication Entity set up. Next, follow these steps to add authentication:
- Node.js
- .NET
- Navigate to your service's Plugins page.
- Go to the "Authentication" category in the left sidebar.
- Ensure you install the "NestJS Auth Module" plugin first.
- Choose and add an Auth Provider plugin that suits your needs (e.g., Auth0, Supertokens, etc.).
By default, Node.js services are created with a user with the credentials username: admin and password: admin.
- Navigate to your service's Plugins page.
- Go to the "Authentication" category in the left sidebar.
- Choose and add an Auth Provider plugin that suits your needs (e.g., ASP.NET Core Identity).
For .NET services, the default user credentials are username: test@email.com and password: P@ssw0rd!
After adding the required Authentication plugins, configure your authentication settings in the plugin options page.
Disable Authentication
If you no longer need authentication on a specific service, you can disable it.
- Visit your service's Plugins page and toggle the Authentication-related plugins into the off state.
- Delete the Authentication Entity from your list of entities.
- Re-build your project and commit your changes to your preferred git provider.
Authentication Providers
Amplication supports multiple authentication providers to suit different needs:
- JWT Auth Provider
- Auth0 Auth Provider
- Supertokens Auth Provider
- SAML Auth Provider
- Basic Auth Provider
- KeyCloak Auth Provider
- ASP.NET Core Identity
JWT Auth Provider
- Adds JSON Web Token (JWT) authentication and authorization to your service.
- Must be installed with the "NestJS Auth Module" plugin.
- For detailed configuration, visit the JWT Auth Provider GitHub README.
Auth0 Auth Provider
- Integrates Auth0 authentication and authorization into your service.
- Requires an Auth0 account and configuration of an Auth0 application.
- For setup instructions and configuration options, check the Auth0 Auth Provider GitHub README.
Supertokens Auth Provider
- Adds Supertokens authentication to your service.
- Supports various authentication recipes (e.g., email-password, passwordless, third-party).
- Requires setup of the Supertokens core service.
- For detailed configuration and usage, refer to the Supertokens Auth Provider GitHub README.
SAML Auth Provider
- Enables SAML authentication on your service.
- Uses Passport SAML strategy and generates JWT tokens for authorization.
- For usage details, check the SAML Auth Provider GitHub README.
Basic Auth Provider
- Enables a straightforward authentication scheme built into the HTTP protocol.
- Requires sending user's credentials in the form of a username and password, encoded in base64, included in the Authorization header of the request.
If you use the Basic Auth Provider plugin, your service comes with one user with the username admin and the password admin by default.
KeyCloak Auth Provider
- Integrates KeyCloak authentication and authorization into your service.
- Provides single sign-on (SSO) capabilities and support for various identity protocols.
- Requires setup of a KeyCloak server and configuration of a KeyCloak realm.
- For detailed setup instructions and configuration options, refer to the KeyCloak Auth Provider GitHub README.
ASP.NET Core Identity
If you're using a .NET service, refer to the .NET Auth Core Identity plugin documentation for setup and usage instructions.
Plugin Configuration Settings
You can customize your authentication settings, including the default username and password, in the authentication plugin's options page.
Let's look at detailed configuration settings for some of the available authentication plugins:
ASP.NET Core Identity
This plugin adds authentication and authorization to your .NET services.
Configuration
{
"seedUserEmail":"test@email.com",
"seedUserPassword":"P@ssw0rd!"
}
seedUserEmail: The email address for the default seed user created when initializing the service (default: "test@email.com")seedUserPassword: The password for the default seed user created when initializing the service (default: "P@ssw0rd!")
JWT Auth Provider
The JWT Auth Provider adds JSON Web Token (JWT) authentication and authorization to your service.
Configuration
{
"settings": {
"tokenExpiresIn": 3600,
"refreshTokenExpiresIn": 604800,
"grantType": "PASSWORD",
"jwtSecretKey": "Change_ME!!!"
}
}
tokenExpiresIn: Expiration time of the access token in seconds (default: 3600)refreshTokenExpiresIn: Expiration time of the refresh token in seconds (default: 604800)grantType: The grant type for token generation (default: "PASSWORD")jwtSecretKey: Secret key for JWT signing (default: "Change_ME!!!")
For detailed configuration, visit the JWT Auth Provider GitHub README.
Auth0 Auth Provider
The Auth0 Auth Provider integrates Auth0 authentication and authorization into your service.
Configuration
{
"settings": {
"useManagementApi": true,
"managementParams": {
"identifier": "https://{TENANT_NAME}.{REGION}.auth0.com/api/v2/",
"accessToken": "{ACCESS_TOKEN}",
"actionName": "Add user details to access token",
"clientName": "Custom SPA",
"apiName": "Custom API",
"audience": "http://example.com"
}
}
}
useManagementApi: Set totrueto use the Auth0 Management APImanagementParams: Configuration for the Management APIidentifier: The identifier of the Auth0 Management APIaccessToken: The access token of the Auth0 Management APIactionName: The name of the action to create in Auth0clientName: The name of the client to create in Auth0apiName: The name of the API to create in Auth0audience: The audience/identifier of the API
For setup instructions and configuration options, check the Auth0 Auth Provider GitHub README.
Supertokens Auth Provider
The Supertokens Auth Provider adds Supertokens authentication to your service, supporting various authentication recipes.
Configuration
{
"settings": {
"apiDomain": "http://localhost:3000",
"appName": "Amplication App",
"websiteDomain": "http://localhost:3001",
"websiteBasePath": "/auth",
"apiBasePath": "/api/auth",
"connectionUri": "https://try.supertokens.com",
"apiGatewayPath": "",
"apiKey": "",
"supertokensIdFieldName": "supertokensId",
"recipe": {
"name": "email-password"
}
}
}
apiDomain: The API domain for SupertokensappName: The name of your applicationwebsiteDomain: The website domain for SupertokenswebsiteBasePath: The base path for authentication on the websiteapiBasePath: The base path for authentication API endpointsconnectionUri: The URI for connecting to the Supertokens coresupertokensIdFieldName: The field name to store the Supertokens user IDrecipe: The authentication recipe to use (e.g., "emailpassword", "passwordless", "thirdparty")
For detailed configuration and usage, refer to the Supertokens Auth Provider GitHub README.
Keycloak Auth Provider
The Keycloak Auth Provider integrates Keycloak authentication and authorization into your service.
Configuration
{
"settings": {
"port": 8080,
"realmID": "amplication-sample-realm",
"clientID": "amplication-server",
"realmName": "Amplication Sample Realm",
"clientName": "Amplication Server",
"clientDescription": "Sample client for Amplication Server",
"adminUsername": "admin",
"adminPassword": "admin",
"recipe": {
"emailFieldName": "email",
"verifyEmail": false,
"registrationAllowed": true,
"payLoadMapping": {
"username": "name",
"name": "name"
}
}
}
}
port: The port on which to run the Keycloak serverrealmID: The ID of the Keycloak realm to useclientID: The ID of the Keycloak client to userealmName: The name of the Keycloak realmclientName: The name of the Keycloak clientadminUsername: The username for the Keycloak admin useradminPassword: The password for the Keycloak admin userrecipe: Configuration for the authentication recipe
For detailed setup instructions and configuration options, refer to the Keycloak Auth Provider GitHub README.
Basic Auth Provider
{
"username":"admin",
"password":"admin"
}
username: The username for the default seed user created when initializing the service.seedUserPassword: The password for the default seed user created when initializing the service.
Examples
This section provides you with in-depth examples on how to use and interact with some of the available authentication plugins.
JWT Authentication
When generating an app with JWT authentication, the process includes the following two steps:
- Send a login request to the server with username and password to get back from the server the JWT token.
- Add an authentication header with the JWT token to every consecutive request.
Following are examples of how to log in with REST API and GraphQL API.
Rest API
curl -X 'POST' \
'https://[server-url]/api/login' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-d '{
"username": "admin",
"password": "admin"
}'
GraphQL API
mutation {
login(credentials: { username: "admin", password: "admin" }) {
accessToken
}
}
Header with JWT Included
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoieW91IGFyZSBzb29vb28gY29vbCB0aGF0IHlvdSBjaGVjayB0aGF0ISIsIm5hbWUiOiJPZmVrIGdhYmF5IDspIiwiaWF0IjoxNTE2MjM5MDIyfQ.vaYJaP9SUlOU0u4NfFCRm5tmBVDKeCwvN6ByCkqJt8U
Basic Authentication
When using Basic HTTP authentication and sending a request to the API you must provide a Basic HTTP authentication header with the format:
Authorization: 'type' 'credentials'
where type is Basic and credentials is the Base64 encoding of a string "username:password".
Authorization: Basic YWRtaW46YWRtaW4=
You can use a tool to create the header. There are several generators available, such as https://www.blitter.se/utils/basic-authentication-header-generator/
Next Steps
After you've successfully added authentication to your service, you can do the following:
- Add authenticated users to your system.
- Set up roles and permissions for authorization.