Using Auth0 to Add Authentication and Authorization Services to Sitecore
Having a unified login experience where users can leverage their social logins and other providers is a highly desired feature for member and customer-based portals. Incorporating each separate authentication and authorization service on their own is a large and implicitly costly endeavor, especially when factoring in keeping connections up to date to meet the requirements of external providers such as Google and Facebook. This is where Auth0 as a platform for housing authentication and authorization services plays a role.
Contents
- 1 Why Use an External Authentication and Authorization Service
- 2 Integrating Auth0 into Your Application Stack
- 3 Social Connections
- 4 Auth0 Sitecore Integration Options
- 5 Importing Existing Users in Custom Databases
- 6 Linking Existing Users
Why Use an External Authentication and Authorization Service
Before we dive into how to leverage Auth0 with your Sitecore implementation, it’s imperative to understand the key benefits.
The most common benefits of using Auth0 are as follows:
- Centralization and ease of use for common providers like Google, Facebook, GitHub, etc.
- Reduces barrier of users creating accounts specific to your site (that may be forgotten, etc.)
- May help conversion/registration rates due to ease of use and trust of providers like Google and Facebook
- You still get user information sent back and can leverage this like any other logged in user
- Importing your existing customer records into Auth0 unifies external providers with the records created as part of your custom registration system already in use
- Users can link their existing account with their social accounts to ensure a single source of truth for their identity
- Integrating Auth0 in your application stack (more on that later) is clearly documented and modularized via several options
- Adding social connections once you have the base Auth0 integration is achieved through a plugin/marketplace
- Auth0 keeps up with the ever-changing requirements social providers have for their logins
Integrating Auth0 into Your Application Stack
From traditional web apps and single page applications to mobile applications and backend systems/APIs, Auth0 has a ton of “Quickstarts” for configuring Auth0 with your application stack. Check out these integration types at: https://auth0.com/docs/quickstart/webapp
For Sitecore, we will cover the common integration types later in this article as it depends whether you are running a traditional MVC .NET Framework application, .NET Core Rendering Host, Sitecore JSS/Headless Host, or even Federation if you are looking to leverage Sitecore’s Identity Service for your extranet.
Social Connections
Once you have the base Auth0 integration in place, you will want to add the “Social Connections” you want to display as part of your unified login experience. There is a large marketplace with the integrations at: https://marketplace.auth0.com/features/social-connections
For examples, check out two of the most common integration types of Google and Facebook as follows:
- Google Social Connection: Google / Gmail Integration with Auth0
- Facebook Social Connection: Facebook Integration with Auth0
Auth0 Sitecore Integration Options
Using Auth0 with your Sitecore environment largely depends on your rendering host. From traditional Content Delivery servers running .NET Framework, to .NET Core and Sitecore JSS… the following sections detail the differences with a nod towards Federation for those who want to extend their Extranet.
Traditional Sitecore ASP.NET Framework Host/Content Delivery
Traditional Sitecore with Content Delivery servers leverage .NET Framework. Integration with external providers use Owin middleware to accomplish what is required.
The Auth0 QuickStart for this Sitecore integration option is at: Auth0 ASP.NET (OWIN) SDK Quickstarts: Add Login to your ASP.NET Owin application
.NET Framework/Content Delivery Flow
Unlike many of the other Auth0 integrations, for Traditional .NET Framework, Auth0 recommends leveraging Microsoft’s standard OWIN library.
Auth0 provides the following decision matrix for which NuGet packages to leverage.
.NET Framework | .NET (Core) | |
---|---|---|
ASP.NET MVC | Microsoft.Owin.Security.OpenIdConnect | |
ASP.NET Core MVC | Auth0.AspNetCore.Authentication | |
Razor Pages | Auth0.AspNetCore.Authentication | |
Blazor Server | Auth0.AspNetCore.Authentication | |
Blazor WebAssembly | Microsoft.AspNetCore.Components.WebAssembly.Authentication | |
Xamarin | Auth0.OidcClient.Android Auth0.OidcClient.iOS | Auth0.OidcClient.Android Auth0.OidcClient.iOS |
WPF | Auth0.OidcClient.WPF | |
WinForms | Auth0.OidcClient.WinForms | |
UWP | Auth0.OidcClient.UWP | |
MAUI | IdentityModel.OidcClient | |
Console | Auth0.AuthenticationApi | Auth0.AuthenticationApi |
Key Links
- Auth0 ASP.NET (OWIN) SDK Quickstarts: Add Login to your ASP.NET Owin application
- Content Delivery | Sitecore Documentation
- Microsoft.Owin.Security.OpenIdConnect
- How to Choose the Right .NET SDK for Auth0
Sitecore ASP.NET Core Rendering SDK/Host
Running Sitecore via an ASP.NET Core Rendering Host with Headless Services opens other options for Auth0 when it comes to integration. The primary benefit is ease of integration via Auth0’s own NuGet package versus Owin.
The Auth0 QuickStart for this Sitecore integration option is at: Auth0 ASP.NET Core MVC SDK Quickstarts: Add Login to your ASP.NET MVC application
.NET Core Rendering Host Flow
Key Links
- Auth0 ASP.NET Core MVC SDK Quickstarts: Add Login to your ASP.NET MVC application
- Headless development with the ASP.NET Rendering SDK | Sitecore Documentation
- ASP.NET Core Rendering Engine | Sitecore Documentation
- Sitecore ASP.NET Rendering SDK | Sitecore Documentation
Sitecore JSS Rendering SDK/Host
Whether using Sitecore Headless Services or Sitecore Experience Edge, Auth0 has several options to integrate with Sitecore. This will depend on if you are using Angular, React, Vue, or Next.
The Auth0 QuickStart for this Sitecore integration options are as follows:
- Angular: Auth0 Angular SDK Quickstarts: Add Login to your Angular Application
- React: Auth0 React SDK Quickstarts: Add Login to your React App
- Vue: Auth0 Vue SDK Quickstarts: Add Login to your Vue App
- Next: Auth0 Next.js SDK Quickstarts: Add Login to your Next.js application
Sitecore JSS Rendering Host Flow
Key Links
- Auth0 Angular SDK Quickstarts: Add Login to your Angular Application
- Auth0 React SDK Quickstarts: Add Login to your React App
- Auth0 Vue SDK Quickstarts: Add Login to your Vue App
- Auth0 Next.js SDK Quickstarts: Add Login to your Next.js application
- Architecture overview | Sitecore Documentation
- SDKs for React, Angular, Vue, and React Native | Sitecore Documentation
- Sitecore JavaScript Rendering SDK (JSS) for Next.js | Sitecore Documentation
Federation with Sitecore or Sitecore Cloud Portal
If you created a Sitecore based Extranet with a front-end login and want to offer an Auth0 unified login, Federation via Owin is the primary option. NOTE: You should never expose your CMS to the public and this is not intended for Content Author logins, but rather a front end delivered Extranet.
Per Sitecore, “ASP.NET Identity uses Owin middleware components to support external authentication providers. These external providers allow federated authentication within the Sitecore Experience Platform” – Using federated authentication with Sitecore | Sitecore Documentation
Auth0 does not provide a Quickstart for this scenario, but Sitecore and the Sitecore community offers the following:
- Using federated authentication with Sitecore | Sitecore Documentation
- Single Sign-On with Auth0 in Sitecore – Practical Implementation | LinkedIn
For those leveraging XM Cloud and desire to add Auth0 to the Sitecore Cloud Portal for Single Sign On (SSO), you would leverage OpenID Connect (OIDC). Guidance is as follows:
Key Links
- Using federated authentication with Sitecore | Sitecore Documentation
- Single Sign-On with Auth0 in Sitecore – Practical Implementation | LinkedIn
- Configuring OpenID Connect (OIDC) | Sitecore Documentation
- Create Applications (auth0.com)
Importing Existing Users in Custom Databases
A common scenario is that you already have existing users/customers stored in a custom database tied to your application. These users’ login to your application with credentials created (most commonly email) as part of your registration process/provider. However, if you desire to leverage Auth0, you will need to import these users to provide the Auth0 unified login experience.
Importing allows for users to still login to your application but with the added benefit of the ability to use their social logins while centralizing all users in a single data source (existing and new users that will register due the ease of use/security trust of social providers like their Google account).
Leveraging a custom database connection is a common use case for integrating your custom user database with the Auth0 database. Per the Auth0 documentation, the two benefits of using this approach are:
- Users are moved to Auth0 the first time they log in after you set up the integration
- Users are not asked to reset their password as a result of the migration
The following flow illustrates what happens when existing user’s login via the Auth0 interface with the credentials from your custom database:
Linking Existing Users
Once Auth0 is integrated with Sitecore and your custom database users imported, a final consideration is whether to allow linking. Linking allows users to combine their information across identity providers for a consistent login when it comes to the information across providers. As an example, if you already have users in your system and the email is the same as their Google account, the data can be merged while providing a single user profile across login providers.
Per Auth0, the benefits of linking are as follows (User Account Linking (auth0.com):
- Allows users to log in with any identity provider without creating a separate profile for each
- Allows registered users to use a new social or passwordless login but continue using their existing profile
- Allows users that registered using a passwordless login to link to an account with a more complete profile
- Allows your apps to retrieve user profile data stored in various connections