# Auth0

Log in to your Auth0 account (opens new window) and head to your dashboard. Select Applications on the left menu. On the Applications page, click the Create Application button to create a new app.

Auth0 Applications Dashboard

# Create Regular Web Application

On the Create New Application page, name your application and select the Regular Web Application for your application. This is the application that your users will login to.

Auth0 Create Application Select Platform

Next, provide the following information for your application settings:

Field Description
Name The name of your application.
Application Login URI Authenticate URL (e.g. https://${authenticate_service_url})
Allowed Callback URLs Redirect URL (e.g. https://${authenticate_service_url}/oauth2/callback).

Make sure to click Save Changes at the bottom of the page when you're done.

On the same Settings page you can copy the Domain and use it as the provider url (e.g. https://dev-xyz.us.auth0.com), as well as the Client ID and Client Secret.

# Service Account

Next we'll create an application to handle machine-to-machine communication from Pomerium to Auth0 in order to retrieve and establish group membership.

TIP

Auth0 refers to groups as roles.

Select Applications on the left menu. On the Applications page, click the Create Application button to create a new app.

On the Create New Application page, name your application and select the Machine to Machine Application for your application. A different application is used for grabbing roles to keep things more secure.

Auth Create Application Select Service Account Platform

Click Create and on the next page select Auth0 Management API from the dropdown. For the scopes use the Filter on the right to narrow things down to role and choose the read:roles and read:role_members scopes.

Auth0 Management API Scopes

Finish things off by clicking Authorize.

To build the idp_service_account for Auth0 you need to base64-encode a JSON document containing the Client ID and Client Secret of the application:

{
  "client_id": "...",
  "secret": "..."
}

You can now configure Pomerium with the identity provider settings retrieved in the previous steps. Your environmental variables (opens new window) should look something like this.

IDP_PROVIDER="auth0"
IDP_PROVIDER_URL="https://hayward-jackal.us.auth0.com"
IDP_CLIENT_ID="REPLACE_ME" # from the application the users login to
IDP_CLIENT_SECRET="REPLACE_ME" # from the application the users login to
IDP_SERVICE_ACCOUNT="REPLACE_ME" # built from the machine-to-machine application which talks to the Auth0 Management API