Hello everyone,
I have some questions and need some help about Groups and Users in Auth0:
I’m trying to set SSO login with Auth0 on a website (based on BookStack from Dan Brown). I was able to set it that the users are able to connect and register to the website with the Auth0 login prompt.
But the website has user Roles (used like “Groups”) and I didn’t success to set the Groups the users belong to in Auth0 that it matches with the user Roles of the website.
BookStack has instruction for Group Sync with OpenID Connect with Otka. But I wasn’t able to do it with Auth0… (in Otka, you just create Groups, add them to a user, and voilà…)
I tried to use the Authorization Extension, so the Groups and Roles of users can be seen in their app_metadata, but when users are logging in through Auth0, those data are not retrieved through the token, and the Groups assigned in Auth0 are not taken into consideration by the website.
I’ve tried to set an Action in the Login flow, but it seems that we can’t set Actions for the Authorization extension (it did it before through Rules)…
(btw, it will be nice to warn people that this extension is quiet unuseful (if it is the case as I guess), because I understood this only after a while! and I don’t see what we can do with this extension if we can’t set Action with it…)
The parameters I have to set in the .env file of the website root to connect an OIDC issuer are as follow:
# Enable OIDC group sync.
OIDC_USER_TO_GROUPS=true
# Set the attribute from which BookStack will read groups names from.
OIDC_GROUPS_CLAIM=groups
# Additional scopes to send with the authentication request.
# By default BookStack only sends the 'openid', 'profile' & 'email' scopes.
# Many platforms require specific scopes to be requested for group data.
# Multiple scopes can be added via comma separation.
OIDC_ADDITIONAL_SCOPES=groups
# Remove the user from roles that don't match OIDC groups upon login.
# Note: While this is enabled the "Default Registration Role", editable within the
# BookStack settings view, will be considered a matched role and assigned to the user.
OIDC_REMOVE_FROM_GROUPS=true
Actually, when users login to the website through Auth0, they are added as a new registered users every time they login (even if they were already registered both on the website and Auth0, and even if Roles/Groups have been set for them before), and their Roles/Groups are deleted on the website if there were any (what it is an issue)…
I know we can give Roles to users in Auth0 with the Authorization Core system, but I don’t see how to send the information to the website, nor I understand how to do it through an Action…
So, can someone help me on this ?
At least to explain me how to set Actions in the Login flow to be able to add Roles into the token sent to the website when users login, and eventually how to set the .env parameters to make this working?..
Thanks