Auth0
Setup guide for the Common Fate Auth0 integration.
Added in Common Fate v1.42.0. Requires Common Fate Terraform Provider v2.17 or later.
This guide will walk you through integrating Common Fate with Auth0. By the end of this guide, you’ll have a functioning integration with Common Fate, allowing it to provision access to Auth0 Organizations.
Auth0 Setup
To configure the Auth0 integration, create a Machine-To-Machine application in the Auth0 administrative console.
In the Auth0 administrative console, browse to Applications.
Name the application Common Fate. Choose Machine to Machine Applications as the application type.
Click on the newly created application. Take a note of the Domain, Client ID, and Client Secret attributes, as you will need them in the next steps.
You will need to create a new SecretString in SSM Parameter Store and then use the path when configuring your deployment in Terraform.
You can use the AWS CLI to create a secret in the region you are deploying to. We recommend naming these "/<namespace>/<stage>/<secret name>".
# run this in the AWS account and region that Common Fate is deployed to
aws ssm put-parameter \
--name "/common-fate/prod/auth0-client-secret" \
--value "<client secret from the above step>" \
--type "SecureString"
Configuring Common Fate
In this section, you will register the Auth0 integration with your Common Fate deployment. At the end of this section you should have Common Fate ready to provision access. You’ll need to have set up the Common Fate Application Configuration repository using our Terraform provider.
Inside your Application Configuration repository, add the following module:
resource "commonfate_auth0_integration" "auth0" {
name = "Auth0"
domain = "<your domain from above, e.g. dev-1ulors88vi7zjge6.us.auth0.com>"
client_id = "<your Client ID from above, e.g. ISQp0GiY0xcdODDdWRFnuh5Ypfm0XIa1>"
client_secret_secret_path = "/common-fate/prod/auth0-client-secret"
}
Apply the changes. If the apply succeeds, you should see the integration appear on the settings page in the web dashboard.
Provisioning access to Auth0 Organizations
To grant and revoke access to Auth0 Organizations, Common Fate uses a service called the Provisioner. The Provisioner is an internal service and is not user-facing. In default deployments, there is a provisioner builtin to the main stack which can be configured using blocks.
To configure the builtin Provisioner for Auth0 Organizations, add the provisioner_okta_config config block as per the example below:
module "common-fate-deployment" {
source = "common-fate/common-fate-deployment/aws"
version = "..."
provisioner_auth0_config = {
domain = "<your domain from above, e.g. dev-1ulors88vi7zjge6.us.auth0.com>"
client_id = "<your Client ID from above, e.g. ISQp0GiY0xcdODDdWRFnuh5Ypfm0XIa1>"
client_secret_secret_path = "/common-fate/prod/auth0-client-secret"
}
}
You can now create an access workflow and availabilities:
resource "commonfate_access_workflow" "auth0" {
name = "auth0"
access_duration_seconds = 60 * 60 * 2
try_extend_after_seconds = 60 * 60
priority = 1
}
resource "commonfate_auth0_organization_selector" "select_all" {
id = "example"
name = "Example"
auth0_tenant_id = "<your Auth0 domain, e.g. dev-1ulors88vi7zjge6.us.auth0.com>"
when = "true"
}
resource "commonfate_auth0_organization_availabilities" "demo" {
workflow_id = commonfate_access_workflow.auth0.id
okta_group_selector_id = commonfate_auth0_organization_selector.select_all.id
auth0_tenant_id = "<your Auth0 domain, e.g. dev-1ulors88vi7zjge6.us.auth0.com>"
}