Use Auth0 with Keycloak


I am trying to connect AuthO in Keycloak so that my users can get into Keycloak using Auth0. The huddles I am facing is how to implement this also how do I port users from one service to another or add users. If a new user is added to keycloak how do they have Auth0 access or vice versa?

Hi @anamr,
In your scenario I’m guessing that Keycloak is configured to federate OIDC to Auth0. So, after the user is authenticated in Auth0, Keycloak will receive token and it will do just time Just-in-Time provisioning.
I’m not quite sure why you need to synchronize a user creation from Keycloak to Auth0 - it’s a little bit strange - but you can do this with a custom SPI in Keycloak listening to the creation events and then this custom module will call the Auth0: Users/post_users to create the User in Auth0.


Hi @anamr and @embesozzi and all others
I can confirm, Auth0 can be configured as Identity Provider in Keycloak (e.g. as OIDC-v1) - you can authenticate users of your WebApp via Keycloak to Auth0.

but I have one problem - maybe someone can help me on this thread:
I was hoping to pass additional user attributes from Auth0 to the access token generated by KeyCloak (e.g. email from Auth0 or full username from Auth0), but unfortunately this does not happen. Auth0 doesn’t seem to pass this information in the token to KeyCloak.

Can you give me some tips? Or maybe my expectation of the content of the token is wrong, but so far I could transfer such information from KeyCloak to my applications.


Hi @bartek.
Basically you have the following login flow:

  1. User tries to login in KC
  2. KC redirects to Auth0 (OIDC flow) with some scopes, e.g., profile
  3. Auth shows the login page
  4. After the user is authenticated, Auth0 returns the Authz Code to KC
  5. KC requests the tokens with Auth0
  6. You can configure Mappers in KC like Attribute importer, in order to map the token claim to the user’s attribute
  7. If the user doesn’t exist in KC, KC executes the First Login Flow (in order to create the user locally)
  8. Lastly, it’s the standard OIDC federation process in KC, this means that KC returns the tokens to the app based on the requested scopes.

If you want to check information in the Auth0 tokens - just for troubleshooting purposes, just request the token to the Auth0 token endpoint with ROPC using the SAME scopes that you have configured in KC Identity Provider.