Auth0 Configuration

Auth0 Step by Step configuration

  • Go to

  • Sign in or register an account

  • Note Tenant Domain provided by Auth0

  • Login or create an account with

  • Go to Settings -> Developer Settings - OAuth Apps

  • Create a new app (call it something to recognize it is linked to Auth0)

  • Note the client Id and Secret

  • Add homepage URL as https://<yourauth0accounthere>

  • Add authorization callback URL as https://<yourauth0accounthere>

  • Go back to Auth0

  • Go to Connections -> Social

  • Select Github and enter in your Github app ClientID and secret Credentials - NOTE: ENSURE Attribute “Email Address” is ticked

  • Create an application on Auth0 (regular web app)

  • Use the Auth0 clientID and Client Secret in your application.yaml file Make sure to specify POST method of token endpoint authentication (Drop down box) Enter in your Callback URL (https://<service>.<domain>/signin & https://<service>.<domain>/oauth/signin)

  • Enter your origin URL (https://<your URL here>) and save changes

  • Go to Users & Roles and Create a user with a real email address. You will use this later so remember it

  • Click on Rules -> Whitelist

  • Enter in your email address into the whitelist field (e.g. Line 8 “const whitelist = [ ‘<your email here>’]; //authorized users”)

Suggestions of how to structure Applications, Apis and Permissions

  • Add a common application, give it a name like for example Traefik.

  • Add a common Default API and set as Default Audience in your Auth0 Tenant.

  • Represent Multiple APIs Using a Single Logical API in Auth0 that span several services to use a single sign in on multiple APIs.

  • By default everyone has access that is able to authenticate, i.e, everyone with an account in one of the enabled Auth0 Connections.

    • Create permissions in your API.

    • Enable RBAC and “Add Permissions to Access Token” under the API Settings.

    • Add the permissions directly to users or to roles assigned to users.

Configure the Access Token to be a verifiable JWT

The only way for ForwardAuth to validate that the Access Token has not been tampered with and has not expired is if you use a token with JWT format. This means that Auth0 MUST be configured with either and Audience or a Default Audience in the Auth0 Tenant when requesting an Access Token to receive a token of JWT Format, or else the user will get Access Denied from ForwardAuth because the token could not be verified.


If someone authenticate and the Auth0 is configured to serve a opaque token, ForwardAuth will display an error page and will not let the user enter the requested application. See Why is my access token no a JWT? for more info.