> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth0 (OIDC)

The Auth0 connector integrates the Maverics Orchestrator with Auth0 by Okta -- enabling OIDC-based single sign-on for applications that authenticate against Auth0 tenants.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The Auth0 connector uses OpenID Connect to federate authentication with Auth0. It supports standard OIDC flows -- designed for organizations that use Auth0 as their identity platform, whether for customer-facing (CIAM) or workforce identity scenarios. The connector can also facilitate Auth0 tenant migrations and multi-IdP orchestration.

## Use Cases

* **Unify SSO across CIAM and workforce apps** -- Extend Auth0 authentication to legacy applications that don't support OIDC natively, bridging customer-facing and internal identity scenarios
* **Rationalize Auth0 tenants** -- Consolidate multiple Auth0 tenants or migrate users from Auth0 to another IdP gradually without downtime, reducing per-tenant licensing costs
* **Authentication resilience** -- Route authentication to a backup identity provider if Auth0 becomes unavailable, maintaining continuous access for end users
* **Orchestrate Auth0 with enterprise IdPs** -- Combine Auth0 with providers like Microsoft Entra ID or Okta in a single authentication flow, enabling flexible identity routing across platforms

## Setup

<Tabs>
  <Tab title="Console UI">
    To create an Auth0 (OIDC) connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Auth0 (OIDC)**.
    3. Enter a **Name** -- this is the friendly name that identifies your provider.
    4. Enter the **OIDC Well Known URL** -- for Auth0, this follows the pattern `https://{your-tenant}.auth0.com/.well-known/openid-configuration`. If you are using a custom domain, replace the tenant URL with your custom domain.
    5. Enter the **OAuth Client ID** -- the Client ID from your Auth0 application settings in the Auth0 dashboard.
    6. Enter the **OAuth Client Secret** -- the Client Secret from your Auth0 application settings.
    7. Under **Redirect URLs**, add the callback URL where Auth0 will redirect after authentication. This URL must match an entry in the Allowed Callback URLs configured in your Auth0 application.
    8. Optionally configure **Logout Callback URLs** for single logout support.
    9. Optionally set **Scopes** (space-separated). Default scopes are typically `openid profile email`.
    10. The **PKCE** toggle is enabled by default. Disable it only if your Auth0 application is not configured to support Proof Key for Code Exchange.
    11. Optionally enable **Offline Access** for token refresh support (Proxy apps only).
    12. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml theme={null}
    connectors:
      - name: auth0
        type: auth0
        oidcWellKnownURL: "https://{{ env.AUTH0_DOMAIN }}/.well-known/openid-configuration"
        oauthClientID: "{{ env.AUTH0_CLIENT_ID }}"
        oauthClientSecret: <vault.auth0_client_secret>
        oauthRedirectURL: "https://app.example.com/oidc/callback"
    ```

    ## Configuration Reference

    | Key                 | Type   | Required | Description                                            |
    | ------------------- | ------ | -------- | ------------------------------------------------------ |
    | `name`              | string | Yes      | Unique connector identifier referenced in app policies |
    | `type`              | string | Yes      | Must be `auth0`                                        |
    | `oidcWellKnownURL`  | string | Yes      | OIDC discovery endpoint URL (Auth0 tenant domain)      |
    | `oauthClientID`     | string | Yes      | OAuth 2.0 client ID from the Auth0 dashboard           |
    | `oauthClientSecret` | string | Yes      | OAuth 2.0 client secret (use secret reference syntax)  |
    | `oauthRedirectURL`  | string | Yes      | Callback URL registered with the Auth0 application     |
    | `tls`               | string | No       | Named TLS profile for provider communication           |

    For the complete field reference including health checks, offline access, and PKCE settings, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the `oidcWellKnownURL` is accessible** from the Orchestrator host -- ensure the Auth0 domain is correct (e.g., `your-tenant.auth0.com` or custom domain)
* **Ensure the `oauthRedirectURL` matches exactly** what is registered in the Auth0 application under Allowed Callback URLs
* **Check that the client secret reference resolves correctly** via your secret provider

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Okta" icon="shield-halved" href="/reference/orchestrator/identity-fabric/okta">
    OIDC connector for Okta
  </Card>

  <Card title="Generic OIDC" icon="key" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>

  <Card title="Continuity" icon="arrows-rotate" href="/reference/orchestrator/identity-fabric/continuity">
    Failover connector for IdP high availability
  </Card>
</CardGroup>
