Main site

Set up Auth0 for customer hosting CipherStash Token Service

Auth0 is one of the options you can use as an identity provider for customer hosting.

Your identitiy provider is used by CipherStash CTS to authenticate and authorize your engineering team.

Step 1: Create an Auth0 application

Create an Auth0 account or log in to your existing account.

Select the Applications from the side menu and then select Create Application. Use the following settings:

  • Name: CipherStash CLI
  • Choose Application Type & Technology: Native

Create auth0 application for CipherStash CLI

Step 1.1: Configure the connection types

Decide how you want your developers to authenticate with CipherStash CLI under the Connections tab. By default this will be set to "Username-Password-Authentication" and/or "Google Social Connection" if you've enabled it for your Auth0 account.

The connections for the newly created CipherStash CLI application defaulting to Google and username and password

Step 1.2: Enable the device code grant

To authenticate from the CLI, follow these steps:

  1. Navigate to Settings, under Advanced settings at the bottom of the application page
  2. Select Grant Types and enable the device code grant.
  3. Click "Save Changes".

The "Grant Types" section of the application "Advanced Settings" with "Device Code", "Authorization Code" and "Refresh Token" enabled

Step 1.3: Set the environment variables

After creating the application, set the following environment variables in the cli-workspace/.envrc file:

1# Auth0 CipherStash CLI application Client ID
2export CS_IDP_CLIENT_ID="<your CipherStash CLI Auth0 application client ID>"
3
4# Auth0 IDP Host URL
5export CS_IDP_HOST="https://<Auth0 CipherStash CLI application Domain>/"

Step 2: Create an Auth0 API

Select the Applications from the side menu and then select APIs. Click on the Create API button and use the following settings:

  • Name: CipherStash CTS
  • Identifier: https://cts.<your CTS Route53 zone name>/
    • Example: https://cts.demo-cipherstash.com/

The create API modal for with the API name filled as "CipherStash CTS", the identifier set to "https://<your CTS domain>/" and the other options left as default

Configuration Note

It's important that the API identifier contains the trailing slash. This is required by CDK and CipherStash CLI configuration.

Step 2.1: Enable RBAC and Offline Access

Follow the steps below to enable RBAC and offline access for the CipherStash CTS API.

  1. Select RBAC Settings
  2. Toggle on both Enable RBAC and Add Permissions in the Access Token

The Auth0 RBAC settings section with "Enable RBAC" and "Add Permissions in the Access Token" enabled

Step 2.2: Access settings

Follow the steps below to enable offline access for the CipherStash CTS API.

  1. Select Access Settings
  2. Toggle on Allow Offline Access
  3. Click "Save".

The "Access Settings" section showing "Allow Offline Access" turned on and the "Save" button

Step 2.3: Create a permission

Follow the steps below to create a permission for the CipherStash CTS API.

  1. Select Permissions
  2. Click Add Permission
  3. Set the name to cipherstash:admin
  4. Set the description to Admin access to CTS resources
  5. Click Add

The "Add Permission" screen in Auth0 with the details filled to be "cipherstash:admin" and "Admin access to CTS resources"

Next steps

Now that you've set up your identity provider, continue setting up your customer hosted infrastructure.