Configure Auth0 as an external Identity Provider (IdP) so users can log in to OpenCASE using their Auth0 accounts. Keycloak acts as the broker -- it delegates authentication to Auth0 and creates local user accounts automatically on first login (Just-in-Time provisioning).
- OpenCASE is running (see Get Started Guide)
- You have an Auth0 account (free tier works)
- You know your OpenCASE domain (e.g.
opencase.1edtech.org)
- Log in to the Auth0 Dashboard
- Go to Applications > Applications > Create Application
- Enter a name, e.g.
OpenCASE SSO - Select Regular Web Applications
- Click Create
In the application's Settings tab, scroll to Application URIs and set:
| Field | Value |
|---|---|
| Allowed Callback URLs | https://YOUR_DOMAIN/realms/opencase/broker/auth0/endpoint |
| Allowed Logout URLs | https://YOUR_DOMAIN |
| Allowed Web Origins | https://YOUR_DOMAIN |
Replace YOUR_DOMAIN with your OpenCASE hostname (e.g. opencase.1edtech.org).
The callback URL follows Keycloak's broker pattern:
/realms/{realm}/broker/{alias}/endpoint. We'll useauth0as the alias in Step 2.
From the Settings tab, copy these values -- you'll need them in Step 2:
- Domain (e.g.
your-tenant.auth0.com) - Client ID
- Client Secret
Navigate to https://YOUR_DOMAIN/admin/ and log in with your Keycloak admin credentials (the ADMIN_PASSWORD from your .env file, username admin).
Make sure you're in the opencase realm (top-left dropdown). If you see "master", switch to "opencase".
- In the left sidebar, click Identity providers
- Click Add provider > OpenID Connect v1.0
Fill in the following fields:
| Field | Value |
|---|---|
| Alias | auth0 |
| Display name | Auth0 (or your preferred label, e.g. Login with Auth0) |
| Discovery endpoint | https://YOUR_AUTH0_DOMAIN/.well-known/openid-configuration |
| Client ID | (from Step 1) |
| Client Secret | (from Step 1) |
Replace YOUR_AUTH0_DOMAIN with your Auth0 domain (e.g. your-tenant.auth0.com).
After entering the discovery endpoint, click outside the field -- Keycloak will auto-populate the authorization, token, and userinfo endpoints.
| Field | Value |
|---|---|
| Client Authentication | Client secret sent as post |
| Default Scopes | openid email profile |
| Trust Email | On |
| Sync Mode | Force (updates user attributes on every login) |
Trust Email = On means Keycloak trusts that Auth0 has already verified the user's email. Without this, users may be prompted to verify their email again.
Sync Mode = Force ensures user profile data (name, email) stays in sync with Auth0 on each login. Use
Importif you only want to import on first login.
By default, logging out of OpenCASE only ends the Keycloak session -- the Auth0 session stays active. To propagate logouts to Auth0:
- Scroll to Advanced settings (or OpenID Connect settings)
- Set Logout URL to
https://YOUR_AUTH0_DOMAIN/oidc/logout(may already be populated from the discovery endpoint) - Enable Backchannel logout
Also ensure your Auth0 application has the correct Allowed Logout URLs (see Step 1).
Keycloak needs to map Auth0's token claims to local user attributes. Without these, the username will be set to Auth0's raw user ID (e.g. auth0|abc123) which contains invalid characters.
- In the Auth0 identity provider settings, click the Mappers tab
- Click Add mapper for each of the following:
Auth0's sub claim looks like auth0|665065950e64e810e52d03ea, which Keycloak rejects because the | character is invalid in usernames. This mapper uses the email address as the username instead.
| Field | Value |
|---|---|
| Name | username |
| Mapper type | Username Template Importer |
| Template | ${CLAIM.email} |
| Field | Value |
|---|---|
| Name | email |
| Mapper type | Attribute Importer |
| Claim | email |
| User Attribute Name | email |
| Field | Value |
|---|---|
| Name | first-name |
| Mapper type | Attribute Importer |
| Claim | given_name |
| User Attribute Name | firstName |
| Field | Value |
|---|---|
| Name | last-name |
| Mapper type | Attribute Importer |
| Claim | family_name |
| User Attribute Name | lastName |
Click Save after each mapper.
When a user logs in via Auth0 for the first time, Keycloak's First Broker Login flow determines what happens. The default flow:
- Reviews the user's profile
- Creates a local Keycloak account
- Links it to the Auth0 identity
This works well for most setups. If you want to skip the review page and create users silently:
- Go to Authentication in the left sidebar
- Find first broker login flow
- Click the settings icon on Review Profile and set it to Disabled
- Open your OpenCASE Editor:
https://YOUR_DOMAIN - Click Sign in
- On the Keycloak login page, you should see an Auth0 button (or whatever display name you set)
- Click it -- you'll be redirected to Auth0's login page
- Authenticate with your Auth0 credentials
- You'll be redirected back to OpenCASE, now logged in
First login: Keycloak may show a profile review page asking you to confirm your email and name. After this, subsequent logins go straight through.
Users who log in via Auth0 are created in Keycloak with no roles by default. To give them access to OpenCASE features, you need to assign roles:
- In the Keycloak Admin Console, go to Users
- Find the Auth0 user (they appear after their first login)
- Click on the user > Role mappings tab
- Assign the appropriate client roles for their tenant (e.g.
case.read,case.write,case.owner)
To assign a default role to all Auth0 users automatically:
- Go to Identity providers > auth0 > Mappers tab
- Click Add mapper
- Configure:
| Field | Value |
|---|---|
| Name | default-role |
| Mapper type | Hardcoded Role |
| Role | (select the role to assign) |
The callback URL in Auth0 doesn't match what Keycloak sends. Verify the Allowed Callback URLs in Auth0 matches exactly:
https://YOUR_DOMAIN/realms/opencase/broker/auth0/endpoint
Check for trailing slashes, http vs https, and port numbers.
The discovery endpoint URL is wrong. It should be:
https://YOUR_AUTH0_DOMAIN/.well-known/openid-configuration
Auth0 might not be returning the email claim. In Auth0:
- Go to Actions > Flows > Login
- Add a custom action that ensures the email claim is in the ID token:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.email) {
api.idToken.setCustomClaim('email', event.user.email);
}
};Or verify that the Default Scopes in Keycloak's Auth0 IdP config include email.
Auth0's sub claim contains a | character that Keycloak doesn't allow in usernames. Add a Username Template Importer mapper (see Step 3) that uses ${CLAIM.email} as the template.
Set Trust Email to On in the Auth0 identity provider settings in Keycloak (Step 2).
Make sure the Auth0 identity provider is Enabled (toggle at the top of the IdP settings page in Keycloak).
If you want users to go directly to Auth0 without seeing the Keycloak login page:
- Go to Authentication > Browser flow
- Click the settings icon on Identity Provider Redirector
- Set Default Identity Provider to
auth0
Now when users click "Sign in", they'll be sent directly to Auth0. To still allow direct Keycloak login (e.g. for admin), append ?kc_idp_hint= (empty) to the login URL.
Keycloak remains the OIDC provider for OpenCASE. Auth0 is an upstream identity source. This means:
- OpenCASE only talks to Keycloak (no Auth0 dependency in code)
- Roles and scopes are managed in Keycloak
- You can add more IdPs later (Google, Azure AD, SAML, etc.) without changing OpenCASE
- User accounts are local to Keycloak, linked to their Auth0 identity