Skip to main content

Auth0 (OIDC/JWT)

Use Auth0 as your OpenID Connect (OIDC) identity provider. MAPS validates JWTs issued by your Auth0 tenant and (optionally) calls Auth0 for metadata using a Management client.

Configuration

1) AuthManager (global)

AuthManager:
  authenticationEnabled: true
  authorizationEnabled: false
  config:
    # Auth0 tenant wiring for lookups/metadata
    identityProvider: "auth0"
    domain: "YOUR_TENANT.eu.auth0.com"   # Auth0 Domain
    clientId: "YOUR_CLIENT_ID"           # Management client (M2M) ID
    clientSecret: "YOUR_CLIENT_SECRET"   # Management client secret
    cacheTime: 600000                    # ms to cache Auth0 results (e.g., JWKS/tenants/apps)

domain, clientId, and clientSecret belong to an M2M (Confidential) Application authorized for required scopes (e.g., read:users, read:clients) if you use metadata lookups. For pure JWT validation you typically don't need Management API calls.

2) JAAS (jaasAuth.config)

OIDCAuthConfig {
  io.mapsmessaging.security.jaas.JwtOidcLoginModule Required
    issuer="https://YOUR_TENANT.eu.auth0.com/"
    audience="YOUR_API_IDENTIFIER"
    jwksUri="https://YOUR_TENANT.eu.auth0.com/.well-known/jwks.json"
    debug=false;
};
  • issuer is your Auth0 Domain with https:// and trailing /.
  • audience must match your API Identifier configured in Auth0.
  • jwksUri points to your tenant's JWKS for key verification.

3) SecurityManager mapping

SecurityManager:
  - public: OIDCAuthConfig

4) Listener example

- name: "REST API (Auth0)"
  url: "http://0.0.0.0:8080/"
  protocol: rest
  auth: public

Field Reference

KeyRequiredDescription
auth0.domainYesYour Auth0 Domain (tenant), e.g., your-tenant.auth0.com.
auth0.clientIdOptionalMachine-to-Machine app Client ID used if MAPS queries Auth0 Management APIs.
auth0.clientSecretOptionalSecret for the above Client. Keep it secure.
auth0.cacheTimeOptionalCache TTL (ms) for Auth0-derived data (e.g., tenant/app/user lookups).

JWT validation only needs issuer + jwksUri (and audience if you require it) in JAAS. The auth0.* block is only needed if your deployment performs Auth0 lookups.

Notes & Best Practices

  • Prefer RS256 signed tokens so MAPS can validate them with JWKS (no shared secret).
  • Ensure tokens include the expected audience (API Identifier) that your REST/API listeners enforce.
  • Keep clientSecret out of repos. Use env vars or secrets managers and tokenise as {{ENV_VAR}} in config.
  • Tune cacheTime to balance freshness vs. rate limits if you enable Management lookups.

Troubleshooting

  • Token validates but routes are rejected: confirm audience matches the API Identifier configured in Auth0.
  • Signature verification fails: verify jwksUri is reachable and token is RS256-signed; check system clock skew.
  • Frequent Management API calls: raise cacheTime or disable lookups if not needed.