Terraform
OIDC authentication with Auth0
OpenID Connect (OIDC) is an internet-scale federated identity and authentication protocol built on top of the OAuth 2.0 authorization framework and the JSON Object Signing and Encryption (JOSE) cryptographic system. OIDC builds on top of the OAuth 2.0 authorization protocol to enable a user to authorize a third-party application to access the user’s identity and authentication information.
The OIDC authentication method allows Boundary users to delegate authentication to an OIDC provider. This feature allows Boundary to integrate with popular identity providers like Auth0, cloud-hosted active directory services with an OIDC frontend, and cloud identity management systems such as AWS IAM.
Boundary users can create, read, update, and delete new OIDC authentication methods using the Admin Console UI, Boundary CLI, or the Boundary Terraform provider to enable login. OIDC auth methods can also be utilized for logging into the Admin Console and Desktop applications.
This tutorial provides an example of setting up OIDC with the Auth0 provider and managing OIDC authentication methods.
OIDC authentication methods overview
- Authentication workflow
- Auth0 configuration
- Auth method creation
- Authentication states
- OIDC authentication
Prerequisites
A Boundary binary greater than 0.8.0 in your
PATHThis tutorial assumes you can connect to an HCP Boundary cluster or launch Boundary in dev mode.
An Auth0 test account. The associated email address should not be tied to another SSO method, so use of a personal account is recommended.
Installing the Boundary Desktop App provides an optional workflow for this tutorial. The 1.2.0 version or above is required for OIDC support.
Installing Terraform 0.13.0 or greater provides an optional workflow for this tutorial. The binary must be available in your
PATH.
Get setup
In this tutorial, you will test OIDC integrations using HCP Boundary or by running a Boundary controller locally using dev mode.
The HCP Quickstart tutorials provide an overview of getting started with an HCP Boundary cluster.
If you have an HCP Boundary cluster deployed, the Access HCP Boundary tutorial provides an overview of configuring your local machine to authenticate with your HCP cluster.
This tutorial provides both CLI and UI workflows for setting up OIDC authentication.
To proceed with the UI workflow:
Open the Admin Console UI by entering your HCP Boundary Cluster URL into a browser (such as
https://e58fe114-7624-431c-994d-b6670e90b03J.boundary.hashicorp.cloud).Enter the admin username and password you created when you deployed the new instance and click Authenticate.