Curity Identity Server (OpenID Connect)
To secure access to ngrok with Curity Identity Server using OpenID Connect:
This article details how to configure Curity as the primary Identity Provider for ngrok tunnels. By integrating Curity Identity Server with ngrok, you can:
- Restrict access to ngrok tunnels to only users who authenticated via Curity
- Use Curity security policies, MFA authenticators — including BankId, SITHS, and WebAuthn — to control access to ngrok tunnels.
- Use Curity's Dashboard to facilitate access to ngrok apps.
Requirements
To configure ngrok tunnels with Curity, you must have:
- an Curity account with administrative rights to create clients
- an ngrok Enterprise Account with an authtoken or admin access to configure edges with OpenID Connect.
Configuration Steps
To integrate ngrok with Curity Identity Server, you will need to:
- Configure Curity with the ngrok app
- Configure ngrok with the SSO settings provided by Curity
Step 1: Congfigure Curity Authentication
The Curity Identity Server provides an authenticator called html-form
that is suitable for setting up a login with username and password. It uses a Credential Manager to verify the credentials, which in turn uses a data-source. There any many options for stronger authentication than username and password. A list of possible authentication methods is available here.
Add Authentication
Add an Authenticator
- Navigate to Profiles > Authentication Service > Authenticators.
- Click New Authenticator on the authenticator page and give it a name.
- Select the
HTML-Form
Authenticator type in the grid of authenticators and click Next. - Under HTML Form Settings, select the
default-account-manager
as account manager anddefault-credential-manager
as credential manager.
Commit the changes
Commit the changes via the Changes menu.
Step 2: Configure Curity for OIDC
Add an openid client in Curity
Add New Client
- Navigate to Profiles > Token Service > Clients and click + New Client.
- Give the client an ID (eg.
www
for a website client) and click Create.
Add Capabilities
Scroll down to the Capabilities section and click Add capabilities.
Select the Code Flow capability and click Next.
Enter
http://localhost/callback
as a Redirect URI and click Add.Click Next.
On the Client Authentication screen, select secret.
Click Generate to generate a new secret.
- Copy the secret since it cannot be retrieved later again (but can be reset).
On the User Authentication screen, select the
HTML-form
authenticator created in Step 1.Click Done.
Scroll down on the newly created client page to Scopes and Claims.
Select
openid
from the list of scopes in the dropdown menu.
Expose the metadata url
ngrok makes a call to the
/.well-known/openid-configuration
endpoint at Curity to pull configuation data specific to your Authorization Server.- Navigate to Profiles > Token Service > General page.
- Scroll down to the OpenID Connect section and enable the
Expose Metadata
toggle.
Commit the changes
Commit the changes via the Changes menu.
Step 3: Configure ngrok
ngrok can leverage Curity Identity Server in two ways:
- From the ngrok CLI (using the
--oidc
parameter) - From the ngrok dashboard
Option 1: ngrok CLI
Note: For this tutorial, we assume you have an app running locally (i.e., on localhost:3000) with the ngrok client installed.
Launch a terminal
Enter the following command to launch an ngrok tunnel with Curity Identity Server. Replace
<curity_url>
with your Curity issuer address (i.e., https://acme.com/oauth/v2/oauth-anonymous) and the<curity_client_id>
and<curity_client_secret>
with the respective values copied from the ngrok app registered at Curity:ngrok http 3000 --oidc=<curity_url> \
--oidc-client-id=<curity_client_id> \
--oidc-client-secret=<curity_client_secret> \
--domain=curity-sso-test.ngrok.devSkip to Step 4: Test the integration
Option 2: ngrok Edge
To configure an edge with Curity:
Go to dashboard.ngrok.com.
Click Cloud Edge > Edges
If you don't have an edge already set to add Curity Identity Server, create a test edge:
- Click New Edge
- Click HTTPS Edge
- Click the pencil icon next to "no description". Enter Edge with Curity Identity Server as the edge name and click Save.
On the edge settings, click OIDC.
Click Begin setup and enter the following:
- Issuer URL: Your Curity issuer url (i.e. https://acme.com/oauth/v2/oauth-anonymous).
- Client ID: The name of the client from Curity
- Client Secret: The client secret copied from Curity
Click Save.
Launch a tunnel connected to your Curity edge:
NoteFor this step, we assume you have an app running locally (i.e. on localhost:3000) with the ngrok client installed.
Click Start a tunnel.
Click the copy icon next to the tunnel command.
Launch a tunnel:
- Launch a terminal
- Paste the command. Replace http://localhost:80 with your local web app addess (i.e., http://localhost:3000)
- hit Enter. an ngrok tunnel associated to your edge configuration is launched.
To confirm that the tunnel is connected to your edge:
- Return to the ngrok dashboard
- Close the Start a tunnel and the Tunnel group tabs
- Refresh the test edge page. Under traffic, You will see the message You have 1 tunnel online. Start additional tunnels to begin load balancing
In the test edge, copy the endpoint URL. (you will use this url to test the Curity Authentication)
Step 4: Test the integration
- In your browser, launch an incognito window.
- Access your ngrok tunnel (i.e., https://curity-sso-test.ngrok.io or using a copied URL).
- You should be prompted to log in with your Curity credentials.
- After login, you should be able to see your web app.