Curity Identity Server (OpenID Connect)
To secure access to ngrok with Curity Identity Server using OpenID Connect:
This article details how to configure Curity as the primary Identity Provider for ngrok tunnels. By integrating Curity Identity Server with ngrok, you can:
- Restrict access to ngrok tunnels to only users who authenticated via Curity
- Use Curity security policies, MFA authenticators — including BankId, SITHS, and WebAuthn — to control access to ngrok tunnels.
- Use Curity's Dashboard to facilitate access to ngrok apps.
Requirements
To configure ngrok tunnels with Curity, you must have:
- an Curity account with administrative rights to create clients
- an ngrok Enterprise Account with an authtoken or admin access to configure edges with OpenID Connect.
Configuration Steps
To integrate ngrok with Curity Identity Server, you will need to:
- Configure Curity with the ngrok app
- Configure ngrok with the SSO settings provided by Curity
Step 1: Configure Curity Authentication
The Curity Identity Server provides an authenticator called html-form
that is suitable for setting up a login with username and password. It uses a Credential Manager to verify the credentials, which in turn uses a data-source. There any many options for stronger authentication than username and password. A list of possible authentication methods is available here.
Add Authentication
-
Add an Authenticator
- Navigate to Profiles > Authentication Service > Authenticators.
- Click New Authenticator on the authenticator page and give it a name.
- Select the
HTML-Form
Authenticator type in the grid of authenticators and click Next. - Under HTML Form Settings, select the
default-account-manager
as account manager anddefault-credential-manager
as credential manager.
-
Commit the changes
-
Commit the changes via the Changes menu.
-
Step 2: Configure Curity for OIDC
Add an openid client in Curity
-
Add New Client
- Navigate to Profiles > Token Service > Clients and click + New Client.
- Give the client an ID (eg.
www
for a website client) and click Create.
-
Add Capabilities
-
Scroll down to the Capabilities section and click Add capabilities.
-
Select the Code Flow capability and click Next.
-
Enter
http://localhost/callback
as a Redirect URI and click Add. -
Click Next.
-
On the Client Authentication screen, select secret.
-
Click Generate to generate a new secret.
- Copy the secret since it cannot be retrieved later again (but can be reset).
-
On the User Authentication screen, select the
HTML-form
authenticator created in Step 1. -
Click Done.
-
Scroll down on the newly created client page to Scopes and Claims.
-
Select
openid
from the list of scopes in the dropdown menu.
-
-
Expose the metadata url
ngrok makes a call to the
/.well-known/openid-configuration
endpoint at Curity to pull configuration data specific to your Authorization Server.- Navigate to Profiles > Token Service > General page.
- Scroll down to the OpenID Connect section and enable the
Expose Metadata
toggle.
-
Commit the changes
-
Commit the changes via the Changes menu.
-
Step 3: Configure ngrok
ngrok can leverage Curity Identity Server in two ways:
- From the ngrok CLI (using the
--oidc
parameter) - From the ngrok dashboard
Option 1: ngrok CLI
Note: For this tutorial, we assume you have an app running locally (i.e., on localhost:3000) with the ngrok client installed.
-
Launch a terminal
-
Enter the following command to launch an ngrok tunnel with Curity Identity Server. Replace
<curity_url>
with your Curity issuer address (i.e., https://acme.com/oauth/v2/oauth-anonymous) and the<curity_client_id>
and<curity_client_secret>
with the respective values copied from the ngrok app registered at Curity:ngrok http 3000 --oidc=<curity_url> \
--oidc-client-id=<curity_client_id> \
--oidc-client-secret=<curity_client_secret> \
--domain=curity-sso-test.ngrok.dev -
Skip to Step 4: Test the integration
Option 2: ngrok Edge
To configure an edge with Curity:
-
Go to dashboard.ngrok.com.
-
Click Cloud Edge > Edges
-
If you don't have an edge already set to add Curity Identity Server, create a test edge:
- Click New Edge
- Click HTTPS Edge
- Click the pencil icon next to "no description". Enter Edge with Curity Identity Server as the edge name and click Save.
-
On the edge settings, click OIDC.
-
Click Begin setup and enter the following:
- Issuer URL: Your Curity issuer url (i.e. https://acme.com/oauth/v2/oauth-anonymous).
- Client ID: The name of the client from Curity
- Client Secret: The client secret copied from Curity
-
Click Save.
-
Launch a tunnel connected to your Curity edge:
For this step, we assume you have an app running locally (i.e. on localhost:3000) with the ngrok client installed.
-
Click Start a tunnel.
-
Click the copy icon next to the tunnel command.
-
Launch a tunnel:
- Launch a terminal
- Paste the command. Replace http://localhost:80 with your local web app address (i.e., http://localhost:3000)
- hit Enter. an ngrok tunnel associated to your edge configuration is launched.
-
To confirm that the tunnel is connected to your edge:
- Return to the ngrok dashboard
- Close the Start a tunnel and the Tunnel group tabs
- Refresh the test edge page. Under traffic, You will see the message You have 1 tunnel online. Start additional tunnels to begin load balancing
-
In the test edge, copy the endpoint URL. (you will use this url to test the Curity Authentication)
Step 4: Test the integration
- In your browser, launch an incognito window.
- Access your ngrok tunnel (i.e., https://curity-sso-test.ngrok.io or using a copied URL).
- You should be prompted to log in with your Curity credentials.
- After login, you should be able to see your web app.