Skip to content

Auth0 setup

Auth0 is supported by Kamea to authenticate users with the OAuth 2.0 protocol.

Warning

The Auth0 implementation does not yet support self-checkin.

Start by creating an Auth0 tenant. The following steps require to have an active Auth0 tenant.

Front-end application registration

Register your application in the menu Application -> Applications. Click on the Create application button to access the form.

Choose a name, and select Single Page Web Applications in the list. You should be redirected to the application landing page. Note the Client ID on top of the page for later.

In the Settings tab of the application:

  • Input the callback & logout URLs (typically the domain name of your instance of Kamea, or http://localhost:4200/ for the Angular debug environment)
  • Enable the Refresh Token Rotation if it's not already the case and set the Reuse Interval to 0
  • In Advanced Settings -> Grant Types, disable Implicit for security reasons as it has been deprecated for mobile apps and SPAs for security reasons.

API Registration

In the Application -> APIs menu, click on the Create API button. Fill the form and create the API. The identifier depends on your domain name. You can use http://localhost:3000 for local development mode.

Warning: If no API is created, no audience can be requested in the front-end when authenticating, which will lead Auth0 to return an opaque token that cannot be used for anything except some Auth0 endpoints.

API application registration

A Machine to Machine application must also be created in order for Kamea to be able to create, request and delete users. See Auth0 official documentation for more details. Note the Client ID and Client secret of this application.

Restrict sign-up and sign-in

Users shouldn't be able to create their account without being invited to the platform, but it is possible by default. To disable that feature:

  • Enable the setting Authentication / Database / [your database connection] / Settings / Disable signups
  • In the settings of your application, select the tab Connections and disable the Google authentication.

Environment variables

Those environment variables must be provided in the API:

  • AUTH0_DOMAIN_NAME: Can be found in your front-end application page, on Auth0, in Settings -> Basic Information. The format is: <your tenant name>.<region>.auth0.com.
  • AUTH0_MANAGEMENT_API_URL: URL of the management API of your tenant. Will most likely be https://<your tenant name>.<region>.auth0.com/api/v2/.
  • AUTH0_MANAGEMENT_API_CLIENT_ID: Client ID retrieved in this step.
  • AUTH0_MANAGEMENT_API_CLIENT_SECRET: Client secret retrieved in this step.
  • AUTH0_CONNECTION_NAME: Your Auth0 tenant should contain a Database Connection configured for password connections. Use this connection name (not the ID).