How best to configure Auth0/Auth0's Wordpress plugin with Multisite?

I want to use Wordpress Multisite to run several discrete sites for various customers. Each site will have its own user base, and no user base should have access to sites other than own. A few of the users (maybe 10%) will have Google, Facebook, Microsoft, or an Enterprise login connection, the others will authenticate using Wordpress’ database (but still though Auth0).

How best to set this up? Is it enough to set up multiple apps under one tenant, set up all the connectors with relevant approved domains and then only activate the right connection on the right app? Or should I have each Multisite site have its own tenant? Not entirely sure what the “Auth0” way would be of doing this, or if this is a situation for which some other authentication solution would be preferable.

@sc.atter - This is definitely something you should think through completely before getting started and we’re happy to help provide guidance.

I would suggest you run the Setup Wizard separately for each site in the network. This will create a separate Application and Database Connection for each site. This would mean that a user will need to register for each site separately, if they want access to more than one. It would also mean separate user accounts for each. You could also share a database connection with one Application for each site, which would allow users with existing accounts to login to other sites (assuming they have the permissions in WP). It sounds like you want things totally separate so the separate DBs is probably the way to go.

Having the separate Applications is the key, though. That would allow you to activate certain connections for certain sites and not for others.

1 Like

Thanks for clarification! Is it enough to have separate connections for separate apps, or should I do more with Auth0’s after-login Wordpress hooks to further block users from getting into other sites where they shouldn’t be?

Unless you’re using the Authorization extension combined with some kind of custom syncing on the WordPress side, all of your access control will happen on WordPress. Auth0 knows whether you are who you say you are but not what you’re allowed to do, by default. If you already have all the users and permissions setup on WordPress then it should work fine to just have them log in with Auth0 and keep all the existing capabilities. The Applications/Connections will not permit them to do anything besides log in or register.