Authentication Plugin Guide
Authentication and authorization are crucial components of your Amplication service.
By following this guide and exploring the examples, you'll be well-equipped to implement authentication and authorization in your Amplication-generated service using the authentication plugin that best suits your needs.
Creating The Authentication Entity (Node.js)
This step is required only for Node.js services. .NET services do not require this step.
If you initially created your Node.js service without authentication, you must first create and define the Authentication Entity:
- Go to your service's Entities page.
- Create an entity, typically named "User", to serve as your Authentication Entity.
- In your service's settings, choose the newly created entity in the "Authentication Entity" option.
For detailed instructions, refer to the Authentication Entity documentation.
Adding Authentication to Your Service
Once you have an Authentication Entity set up, follow these steps to add authentication:
- Node.js
- .NET
- Navigate to your service's Plugins page.
- Go to the "Authentication" category in the left sidebar.
- Ensure you install the "NestJS Auth Module" plugin first.
- Choose and add an Auth Provider plugin that suits your needs (e.g., Auth0, Supertokens, etc.).
- Navigate to your service's Plugins page.
- Go to the "Authentication" category in the left sidebar.
- Choose and add an Auth Provider plugin that suits your needs (e.g., ASP.NET Core Identity).
After adding the required Authentication plugins:
- Configure your authentication settings in the plugin options page.
- Add authenticated users to your system.
- Set up roles and permissions for authorization.
By default, Node.js services are created with a user with the credentials username: admin
and password: admin
. For .NET services, the default user credentials are username: test@email.com
and password: P@ssw0rd!
Available Authentication Plugins
Amplication offers several authentication plugins to choose from. Each plugin has its own configuration options and setup process.
Node.js
- JWT Auth Provider
- Auth0 Auth Provider
- Supertokens Auth Provider
- SAML Auth Provider
- Basic Auth Provider
- KeyCloak Auth Provider
JWT Auth Provider
- Adds JSON Web Token (JWT) authentication and authorization to your service.
- Must be installed with the "NestJS Auth Module" plugin.
- For detailed configuration, visit the JWT Auth Provider GitHub README.
Auth0 Auth Provider
- Integrates Auth0 authentication and authorization into your service.
- Requires an Auth0 account and configuration of an Auth0 application.
- For setup instructions and configuration options, check the Auth0 Auth Provider GitHub README.
Supertokens Auth Provider
- Adds Supertokens authentication to your service.
- Supports various authentication recipes (e.g., email-password, passwordless, third-party).
- Requires setup of the Supertokens core service.
- For detailed configuration and usage, refer to the Supertokens Auth Provider GitHub README.
SAML Auth Provider
- Enables SAML authentication on your service.
- Uses Passport SAML strategy and generates JWT tokens for authorization.
- For usage details, check the SAML Auth Provider GitHub README.
Basic Auth Provider
- Enables a straightforward authentication scheme built into the HTTP protocol.
- Requires sending user's credentials in the form of a username and password, encoded in base64, included in the Authorization header of the request.
If you use the Basic Auth Provider plugin, your service comes with one user with the username admin
and the password admin
by default.
KeyCloak Auth Provider
- Integrates KeyCloak authentication and authorization into your service.
- Provides single sign-on (SSO) capabilities and support for various identity protocols.
- Requires setup of a KeyCloak server and configuration of a KeyCloak realm.
- For detailed setup instructions and configuration options, refer to the KeyCloak Auth Provider GitHub README.
.NET
For .NET services, ASP.NET Core Identity is the primary authentication option.
ASP.NET Core Identity
If you're using a .NET service, refer to the .NET Auth Core Identity plugin documentation for setup and usage instructions.
Authentication Plugin Configuration Settings
You can customize your authentication settings, including the default username and password, in the authentication plugin's options page.
Let's look at detailed configuration settings for some of the available authentication plugins:
ASP.NET Core Identity (.NET)
This plugin adds authentication and authorization to your .NET services.
Configuration
{
"seedUserEmail":"test@email.com",
"seedUserPassword":"P@ssw0rd!"
}
seedUserEmail
: The email address for the default seed user created when initializing the service (default: "test@email.com")seedUserPassword
: The password for the default seed user created when initializing the service (default: "P@ssw0rd!")
JWT Auth Provider (Node.js)
The JWT Auth Provider adds JSON Web Token (JWT) authentication and authorization to your service.
Configuration
{
"settings": {
"tokenExpiresIn": 3600,
"refreshTokenExpiresIn": 604800,
"grantType": "PASSWORD",
"jwtSecretKey": "Change_ME!!!"
}
}
tokenExpiresIn
: Expiration time of the access token in seconds (default: 3600)refreshTokenExpiresIn
: Expiration time of the refresh token in seconds (default: 604800)grantType
: The grant type for token generation (default: "PASSWORD")jwtSecretKey
: Secret key for JWT signing (default: "Change_ME!!!")
For detailed configuration, visit the JWT Auth Provider GitHub README.
Auth0 Auth Provider (Node.js)
The Auth0 Auth Provider integrates Auth0 authentication and authorization into your service.
Configuration
{
"settings": {
"useManagementApi": true,
"managementParams": {
"identifier": "https://{TENANT_NAME}.{REGION}.auth0.com/api/v2/",
"accessToken": "{ACCESS_TOKEN}",
"actionName": "Add user details to access token",
"clientName": "Custom SPA",
"apiName": "Custom API",
"audience": "http://example.com"
}
}
}
useManagementApi
: Set totrue
to use the Auth0 Management APImanagementParams
: Configuration for the Management APIidentifier
: The identifier of the Auth0 Management APIaccessToken
: The access token of the Auth0 Management APIactionName
: The name of the action to create in Auth0clientName
: The name of the client to create in Auth0apiName
: The name of the API to create in Auth0audience
: The audience/identifier of the API
For setup instructions and configuration options, check the Auth0 Auth Provider GitHub README.
Supertokens Auth Provider (Node.js)
The Supertokens Auth Provider adds Supertokens authentication to your service, supporting various authentication recipes.
Configuration
{
"settings": {
"apiDomain": "http://localhost:3000",
"appName": "Amplication App",
"websiteDomain": "http://localhost:3001",
"websiteBasePath": "/auth",
"apiBasePath": "/api/auth",
"connectionUri": "https://try.supertokens.com",
"apiGatewayPath": "",
"apiKey": "",
"supertokensIdFieldName": "supertokensId",
"recipe": {
"name": "email-password"
}
}
}
apiDomain
: The API domain for SupertokensappName
: The name of your applicationwebsiteDomain
: The website domain for SupertokenswebsiteBasePath
: The base path for authentication on the websiteapiBasePath
: The base path for authentication API endpointsconnectionUri
: The URI for connecting to the Supertokens coresupertokensIdFieldName
: The field name to store the Supertokens user IDrecipe
: The authentication recipe to use (e.g., "emailpassword", "passwordless", "thirdparty")
For detailed configuration and usage, refer to the Supertokens Auth Provider GitHub README.
Keycloak Auth Provider (Node.js)
The Keycloak Auth Provider integrates Keycloak authentication and authorization into your service.
Configuration
{
"settings": {
"port": 8080,
"realmID": "amplication-sample-realm",
"clientID": "amplication-server",
"realmName": "Amplication Sample Realm",
"clientName": "Amplication Server",
"clientDescription": "Sample client for Amplication Server",
"adminUsername": "admin",
"adminPassword": "admin",
"recipe": {
"emailFieldName": "email",
"verifyEmail": false,
"registrationAllowed": true,
"payLoadMapping": {
"username": "name",
"name": "name"
}
}
}
}
port
: The port on which to run the Keycloak serverrealmID
: The ID of the Keycloak realm to useclientID
: The ID of the Keycloak client to userealmName
: The name of the Keycloak realmclientName
: The name of the Keycloak clientadminUsername
: The username for the Keycloak admin useradminPassword
: The password for the Keycloak admin userrecipe
: Configuration for the authentication recipe
For detailed setup instructions and configuration options, refer to the Keycloak Auth Provider GitHub README.
Basic Auth Provider (Node.js)
{
"username":"admin",
"password":"admin"
}
username
: The username for the default seed user created when initializing the service.seedUserPassword
: The password for the default seed user created when initializing the service.
Disable Authentication On Your Service
If you no longer need authentication on a specific service, you can disable it.
- Visit your service's Plugins page and toggle the Authentication-related plugins into the off state.
- Delete the Authentication Entity from your list of entities.
- Re-build your project and commit your changes to your preferred git provider.
Examples
This section provides you with in-depth examples on how to use and interact with some of the available authentication plugins.
JWT Authentication (Node.js)
When generating an app with JWT authentication, the process includes the following two steps:
- Send a login request to the server with username and password to get back from the server the JWT token.
- Add an authentication header with the JWT token to every consecutive request.
Following are examples of how to log in with REST API and GraphQL API.
Rest API
curl -X 'POST' \
'https://[server-url]/api/login' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-d '{
"username": "admin",
"password": "admin"
}'
GraphQL API
mutation {
login(credentials: { username: "admin", password: "admin" }) {
accessToken
}
}
Header with JWT Included
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoieW91IGFyZSBzb29vb28gY29vbCB0aGF0IHlvdSBjaGVjayB0aGF0ISIsIm5hbWUiOiJPZmVrIGdhYmF5IDspIiwiaWF0IjoxNTE2MjM5MDIyfQ.vaYJaP9SUlOU0u4NfFCRm5tmBVDKeCwvN6ByCkqJt8U
Basic Authentication (Node.js)
When using Basic HTTP authentication and sending a request to the API you must provide a Basic HTTP authentication header with the format:
Authorization: 'type' 'credentials'
where type is Basic and credentials is the Base64 encoding of a string "username:password".
Authorization: Basic YWRtaW46YWRtaW4=
You can use a tool to create the header. There are several generators available, such as https://www.blitter.se/utils/basic-authentication-header-generator/