How to configure Vivaria to authenticate users with Auth0
Context
Vivaria has two modes for authenticating users:
- Vivaria uses Auth0 to authenticate users
- Vivaria expects users to authenticate by providing the values of
ACCESS_TOKEN
andID_TOKEN
in Vivaria's config
This how-to covers how to set up Vivaria to support the first mode.
Auth0 setup
API
Vivaria requires you to set up an Auth0 API.
The API must use RS256 as the signing algorithm.
You may wish to set "Maximum Access Token Lifetime" to a longer duration than the default of 86,400 seconds (24 hours). Users need to log back into Vivaria when their access token expires.
Permissions
You may add the following permissions to the API:
data-labeler
: Users with this permission can only access certain runs and can't use many Vivaria features. METR uses this permission for contractors.researcher-database-access
: Users with this permission can run arbitrary read-only queries using the runs page query UI.machine
: This permission is used to distinguish requests from machine users (see here).
If you have VIVARIA_MIDDLEMAN_TYPE
set to remote
, you may wish to create other permissions and have your remote Middleman instance check permissions to decide which models a user can access.
Single Page Application
Vivaria also requires you to set up an Auth0 Single Page Application.
You must add the URL of your Vivaria instance to the "Allowed Callback URLs", "Allowed Logout URLs", and "Allowed Web Origins" fields.
You may wish to set "ID Token Expiration" to a longer duration than the default of 86,400 seconds (24 hours). Users need to log back into Vivaria when their ID token expires.
To allow users to authenticate, you should enable one or more connections in the "Connections" tab.
Machine to Machine applications
At METR, we've found it useful to allow GitHub Actions runners to authenticate with Vivaria. We do this using one Auth0 Machine to Machine application.
Vivaria expects this application to create access tokens with a machine
permission. You can configure this in the Machine to Machine application's "Credentials" tab.
If you configure Auth0 to issue access tokens with the machine
permission, Vivaria expects you to create a second Machine to Machine application that doesn't have the machine
permission. Then, you must set VIVARIA_AUTH0_CLIENT_ID_FOR_AGENT_APPLICATION
and VIVARIA_AUTH0_CLIENT_SECRET_FOR_AGENT_APPLICATION
. Vivaria will use these config variables to generate access tokens for agents created by machine users (see Auth0Auth#generateAgentToken
). This is required because, when a human user starts a run, Vivaria passes the user's access token to the agent. However, Vivaria can't pass a machine user's access token to an agent. Machine user access tokens have the machine
permission, which allows the bearer to create runs and start task environments like a human user. Vivaria doesn't allow agents to take such actions.
Configure Vivaria
See here for an explanation of the Vivaria config variables that you should set.
Then, restart Vivaria and you should be able to log in using Auth0!