Auth0 OIDC Setup
Configure Boltbase with Auth0 as OIDC provider.
Prerequisites
- Auth0 account (free tier works)
- Access to Auth0 Dashboard
Setup Steps
1. Create Application in Auth0
- Log in to Auth0 Dashboard
- Navigate to Applications > Applications
- Click "Create Application"
- Choose:
- Name:
Boltbase(or your preference) - Application Type:
Regular Web Applications
- Name:
- Click Create
2. Configure Application
- Go to Settings tab
- Note down:
- Domain:
your-tenant.auth0.com - Client ID: (shown in Basic Information)
- Client Secret: (shown in Basic Information)
- Domain:
- Configure Application URIs:
- Allowed Callback URLs:For production add:
http://localhost:8080/oidc-callbackhttps://boltbase.example.com/oidc-callback - Allowed Logout URLs (optional):
http://localhost:8080 https://boltbase.example.com
- Allowed Callback URLs:
- Save Changes
3. Configure Boltbase
YAML Configuration
yaml
# ~/.config/boltbase/config.yaml
auth:
oidc:
client_id: "your-auth0-client-id"
client_secret: "your-auth0-client-secret"
client_url: "http://localhost:8080"
issuer: "https://your-tenant.auth0.com/"
scopes:
- "openid"
- "profile"
- "email"Environment Variables
bash
export BOLTBASE_AUTH_OIDC_CLIENT_ID="your-auth0-client-id"
export BOLTBASE_AUTH_OIDC_CLIENT_SECRET="your-auth0-client-secret"
export BOLTBASE_AUTH_OIDC_CLIENT_URL="http://localhost:8080"
export BOLTBASE_AUTH_OIDC_ISSUER="https://your-tenant.auth0.com/"
export BOLTBASE_AUTH_OIDC_SCOPES="openid,profile,email"
boltbase start-allUser Management
Create Test Users
- Go to User Management > Users
- Click "Create User"
- Choose connection:
Username-Password-Authentication - Enter email and password
- Click Create
Email Whitelist
Restrict access to specific users:
yaml
auth:
oidc:
# ... auth0 config ...
whitelist:
- "admin@example.com"
- "team@example.com"Advanced Configuration
Custom Domain
If using Auth0 custom domain:
yaml
auth:
oidc:
issuer: "https://auth.yourdomain.com/"
# ... rest of configAdditional Scopes
Standard OIDC scopes used by Boltbase:
yaml
auth:
oidc:
scopes:
- "openid"
- "profile"
- "email"Note: Boltbase does not support refresh tokens. Sessions expire after 24 hours.
Organizations
For Auth0 Organizations:
- Enable Organizations in Auth0
- Create organization
- Add users to organization
- Update callback URL to include organization:
http://localhost:8080/oidc-callback?organization=ORG_ID
Social Connections
Enable Social Login
- Go to Authentication > Social
- Enable desired providers (Google, GitHub, etc.)
- Configure each provider with their credentials
- No changes needed in Boltbase config
Users can now login with social accounts through Auth0.
Production Configuration
Security Settings
In Auth0 Dashboard > Settings > Advanced:
- Enable "OIDC Conformant"
- Set appropriate token expiration
- Configure refresh token rotation
Production Boltbase config:
yamlauth: oidc: client_id: "production-client-id" client_secret: "production-secret" client_url: "https://boltbase.example.com" issuer: "https://your-tenant.auth0.com/" # Enable HTTPS tls: cert_file: "/etc/ssl/boltbase.crt" key_file: "/etc/ssl/boltbase.key"
Rate Limits
Auth0 has rate limits:
- Free tier: 1,000 logins/month
- Paid tiers: Higher limits
Monitor usage in Auth0 Dashboard > Monitoring.
Testing
Start Boltbase:
bashboltbase start-allAccess http://localhost:8080
You'll be redirected to Auth0 login
Login with test user or social account
After successful login, redirected back to Boltbase
Troubleshooting URLs
- Auth0 Dashboard: https://manage.auth0.com/
- OpenID Configuration: https://your-tenant.auth0.com/.well-known/openid-configuration
- Test connection: https://your-tenant.auth0.com/authorize?client_id=YOUR_CLIENT_ID
Notes
- Issuer URL must include trailing slash
- Auth0 supports standard OIDC discovery
- Free tier sufficient for small teams
- Session duration controlled by Auth0 token settings
- Auth0 Universal Login provides customizable UI