Skip to content

Auth0

This page explains how to configure Auth0 as an OpenID Connect (OIDC) identity provider for Fusion Metadata Registry (FMR).

The examples below assume that:

  • FMR is registered in Auth0 as an application
  • the FMR redirect URI is https://<fmr-host>/ws/fusion/oauth/callback
  • FMR authorisation is based on the groups claim returned during sign-in

Note

Auth0 does not expose a built-in groups claim in the same way as some other identity providers. FMR requires a groups claim for role-based authorisation, so the most suitable Auth0 approach is to use the Auth0 Authorization Extension and configure it to include group information in the issued token.

Register FMR as a confidential client

In most deployments, FMR should be registered as a confidential client. In Auth0, this means creating FMR as a Regular Web Application.

To create the application:

  1. Open the Auth0 Dashboard.
  2. Go to Applications > Applications.
  3. Select Create Application.
  4. Enter a name such as FMR.
  5. Select Regular Web Applications.
  6. Select Create.

After the application has been created:

  1. Open the application's Settings tab.
  2. Add the FMR callback URL to Allowed Callback URLs:
https://<fmr-host>/ws/fusion/oauth/callback
  1. If required for your environment, also configure:
  2. Allowed Logout URLs
  3. Application Login URI
  4. Save the changes.

Get the client ID and client secret

Use the values from the Auth0 application in the FMR OIDC configuration:

  • Client ID: available on the application's Settings tab
  • Client Secret: available on the application's Settings tab or Credentials tab, depending on the Auth0 Dashboard view

Enter these into FMR:

  • Issuer URI: https://<your-auth0-domain>/
  • Client ID: the Auth0 application's client ID
  • Client Secret: the Auth0 application's client secret

Configure Auth0 to emit the groups claim

FMR needs the authenticated user's group membership so that it can map external groups to FMR roles.

With Auth0, the most practical way to manage groups is to use the Authorization Extension.

Install and configure the Authorization Extension

  1. In the Auth0 Dashboard, go to Extensions.
  2. Install Auth0 Authorization Extension if it is not already installed.
  3. Open the extension.
  4. Open Configuration.
  5. In the Token Contents section, enable inclusion of Groups in the issued token.
  6. Publish the rule created by the extension.

Request the groups scope

Ensure the Auth0 login request for FMR includes the groups scope as well as the usual OIDC scopes such as openid and profile.

Important limitation

Auth0's general custom claim mechanism treats groups as a restricted claim. In practice, this means:

  • do not rely on a custom Action or Rule to create a plain groups claim
  • prefer the Authorization Extension path if you need Auth0 to work with FMR group-based authorisation

This is an Auth0-specific limitation rather than an FMR limitation.

Assign users to groups

Once the Authorization Extension is installed, create the groups that FMR will use and add users to them.

Create groups

  1. Open the Authorization Extension dashboard.
  2. Go to Groups.
  3. Select Create Group.
  4. Create the groups that FMR will use, for example:
  5. fmr-admin
  6. fmr-publisher
  7. fmr-reader

Add users to groups

You can add users to groups in either of these ways:

  1. Open a group and add its members.
  2. Open a user and manage the user's group membership.

After the user signs in again, Auth0 can return the user's groups and FMR can use them in its role mapping configuration.

Optionally configure FMR as a public client with PKCE

Use a public client only if your deployment does not allow FMR to hold a client secret.

In Auth0, public applications are created as Native or Single Page Application application types. These application types use the Authorization Code Flow with PKCE instead of a client secret.

To configure this in Auth0:

  1. Go to Applications > Applications.
  2. Select Create Application.
  3. Enter a name such as FMR.
  4. Select Native or Single Page Application, depending on your deployment requirements.
  5. Select Create.
  6. On the Settings tab, add the FMR callback URL to Allowed Callback URLs:
https://<fmr-host>/ws/fusion/oauth/callback
  1. Ensure the application's grant types include Authorization Code.

With Auth0, PKCE uses code_challenge_method=S256. This is the method supported by Auth0 for PKCE requests, rather than a separate dashboard option that you need to switch on.

When using the public client configuration in FMR:

  • enter the Client ID
  • leave Client Secret blank

References