Auth0
This section illustrates where the expected values are found within the Auth0 dashboards. For a more detailed guide on creating an Auth0 application and API, see below. Use these values to configure an external JWT signer.
Example Auth0 OpenID Discovery Endpoint
https://${tenant}.${region}.auth0.com/.well-known/openid-configuration
| Field | Where to Find the Value | Example |
|---|---|---|
| Issuer | Application Settings in Basic Information. The Domain of the app prefixed with "https://" | https://dev-k1gpd4wpyslypklr.us.auth0.com/ |
| Client ID | Application Settings in Basic Information. The Client ID | HTgNgEjHR9Q3krXiShYsrVOh6pRNrtH0q |
| Audience | The API Audience on the APIs dashboard or in General Settings as the Identifier of the API | https://your.openziti.controller.example.io |
| External Auth URL | The same value as the Issuer | https://dev-k1gpd4wpyslypklr.us.auth0.com/ |
| JWKS Endpoint | Use the jwks_uri field from the OpenID discovery endpoint. Often the Auth0 domain + ".well-known/jwks.json" | https://dev-k1gpd4wpyslypklr.us.auth0.com/.well-known/jwks.json |
| Claims Property | Often email, but can also be sub or any other claim contained in the JWT | |
| Scopes | openid included by default then any other standard or custom scope such as email, profileetc. | profile offline_access |
Get an Auth0 Account
If you don't already have an account you can sign up for a free account at https://auth0.com/signup
Add an Application (if necessary)
Once you have an Auth0 account, expand Application, choose Applications again in the left navbar then find the Create Application button and click it:
Choose the Type of Application
Give the application a name, then choose Single Page Web Applications and click Create.
Ignore the Quickstart tab and simply select the Settings tab to proceed.
Callback URLs
The Authorization Code Flow with PKCE or PKCE flow requires configuring callback URLs the Identity Provider (IdP) will allow redirecting to. If the URL for a specific client is not specifically listed, the IdP will deny the authentication request. Depending on the technology used to authenticate to the OpenZiti Network, different URLs need to be specified. More than one URL is allowed to be configured. Decide if you are configuring the IdP for use with tunnelers, with BrowZer or with both and add the appropriate callback urls.
In the Auth0 dashboard, with the application selected, choose the "Settings" tab and scroll down to the "Application URIs" section and add the URLs.
For Tunnelers
Tunnelers require an allowed callback URL of: http://localhost:20314/auth/callback.
For BrowZer
The URL to configure for BrowZer will vary depending on the BrowZer configuration. BrowZer requires a wildcard certificate in order to be deployed and all services are delivered from this wildcard domain. You will need to add the configured wildcard domain as the callback url.
For Ziti Admin Console (ZAC)
The URL to configure an IdP for so that ZAC will be able to authenticate will depend on how you deploy your ZAC. The current method recommended to deploy ZAC will deploy it on the same URL as the controller. For example: https://controller.example.com/zac/callback
From the Settings tab in the Auth0 portal, scroll down until you find the Application URIs section and add the URIs appropriate for the features you are enabling.
Add a New API
When using ext-jwt-signers with OIDC, OpenZiti validates the security token presented is intended for OpenZiti by
looking for and using the aud (audience) field of the JWT. This requires the token (the JWT) to have an audience
specified and the ext-jwt-signer to match that audience. For Auth0, this is accomplished by creating an API.
From the left navbar in the Auth0 dashboard, click on Application -> APIs -> Create API
Any name can be used but as the UI indicates the Identifier* field is used as the audience field of the JWT
after successful authentication. Choose RFC 9068 as the JSON Web Token Profile.
