webiny-configure-auth0
Configuring Auth0 as an identity provider (IDP) for Webiny projects. Use this skill when the developer asks about Auth0 authentication, Auth0 SSO, replacing Cognito with Auth0, setting up external identity providers, configuring OIDC authentication, mapping JWT claims to Webiny identities, or customizing the Auth0 login flow. Also relevant when asking about AUTH0_ISSUER, AUTH0_CLIENT_ID environment variables, Auth0IdpConfig, or the MyAuth0Extension pattern.
Best use case
webiny-configure-auth0 is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configuring Auth0 as an identity provider (IDP) for Webiny projects. Use this skill when the developer asks about Auth0 authentication, Auth0 SSO, replacing Cognito with Auth0, setting up external identity providers, configuring OIDC authentication, mapping JWT claims to Webiny identities, or customizing the Auth0 login flow. Also relevant when asking about AUTH0_ISSUER, AUTH0_CLIENT_ID environment variables, Auth0IdpConfig, or the MyAuth0Extension pattern.
Teams using webiny-configure-auth0 should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/configure-auth0/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How webiny-configure-auth0 Compares
| Feature / Agent | webiny-configure-auth0 | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configuring Auth0 as an identity provider (IDP) for Webiny projects. Use this skill when the developer asks about Auth0 authentication, Auth0 SSO, replacing Cognito with Auth0, setting up external identity providers, configuring OIDC authentication, mapping JWT claims to Webiny identities, or customizing the Auth0 login flow. Also relevant when asking about AUTH0_ISSUER, AUTH0_CLIENT_ID environment variables, Auth0IdpConfig, or the MyAuth0Extension pattern.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Freelancers
Browse AI agent skills for freelancers handling client research, proposals, outreach, delivery systems, documentation, and repeatable admin work.
SKILL.md Source
# Configure Auth0 Authentication
## TL;DR
Webiny supports Auth0 as an external identity provider (IDP) to replace the default Cognito authentication. First, install the `@webiny/auth0` package (using the same version as the `webiny` dependency in `package.json`). Then create two files: an API config class that maps Auth0 JWT claims to Webiny identity data (`Auth0IdpConfig`), and a React extension component (`<Auth0 />`) that wires issuer URL, client ID, and the API config path. Register the extension in `webiny.config.tsx`, set two environment variables (`AUTH0_ISSUER`, `AUTH0_CLIENT_ID`), and deploy.
## Pattern / Core Concept
Auth0 integration has two parts:
1. **API Config** — A class implementing `Auth0IdpConfig.Interface` that maps JWT token claims to Webiny's identity structure. Registered via `Auth0IdpConfig.createImplementation()` (the universal DI pattern).
2. **Extension Component** — A React component that renders `<Auth0 />` from `@webiny/auth0`, passing the issuer URL, client ID, and path to the API config file. The `<Auth0 />` component handles environment variable injection, API extension registration, and Admin login screen setup automatically.
### How `<Auth0 />` Works Internally
The `<Auth0 />` component (from `@webiny/auth0`) is a `defineExtension` that:
- Sets Lambda env vars: `AUTH0_ISSUER`, `AUTH0_CLIENT_ID`
- Sets Admin app env vars: `REACT_APP_IDP_TYPE=auth0`, `REACT_APP_AUTH0_ISSUER`, `REACT_APP_AUTH0_CLIENT_ID`
- Registers the internal `Auth0IdpFeature` API extension (OIDC token verification)
- Registers your custom API config extension (identity mapping)
- Registers the Admin Auth0 login screen extension
## Reference Tables
### `Auth0IdpConfig.Interface`
| Method | Signature | Required | Description |
| ------------------- | ---------------------------------------------------------------- | -------- | ----------------------------------------------------- |
| `getIdentity` | `(token: JwtPayload) => Auth0Identity \| Promise<Auth0Identity>` | Yes | Maps JWT claims to Webiny identity data |
| `verifyTokenClaims` | `(token: JwtPayload) => void \| Promise<void>` | No | Custom claim verification (throw to reject the token) |
### `Auth0Identity` (Return Type of `getIdentity`)
| Field | Type | Description |
| ------------- | -------------------------------- | ------------------------------------------------ |
| `id` | `string` | Unique user ID (typically `token["sub"]`) |
| `displayName` | `string` | User's display name |
| `roles` | `string[]` | Webiny security roles to assign |
| `teams` | `string[]` | Webiny teams (optional, filter out falsy values) |
| `profile` | `{ firstName, lastName, email }` | User profile fields |
| `context` | `object` | Runtime data (not stored in DB) |
### `<Auth0 />` Component Props
| Prop | Type | Description |
| ----------- | -------- | -------------------------------------------------------- |
| `issuer` | `string` | Auth0 issuer URL (e.g., `https://your-tenant.auth0.com`) |
| `clientId` | `string` | Auth0 application client ID |
| `apiConfig` | `string` | Absolute path to the API config file |
### Environment Variables
| Variable | Used By | Description |
| ----------------- | ----------- | --------------------------- |
| `AUTH0_ISSUER` | API + Admin | Auth0 issuer URL |
| `AUTH0_CLIENT_ID` | API + Admin | Auth0 application client ID |
## Full Examples
### Example 1: Basic Auth0 Configuration
**Step 0: Install the `@webiny/auth0` dependency**
`@webiny/auth0` is an optional dependency. Add it to `package.json` using the same version as the `webiny` dependency, then install:
```bash
# Check the webiny version in package.json, then add @webiny/auth0 with the same version
# For example, if "webiny": "^0.0.0-unstable.xxx":
yarn add @webiny/auth0@^0.0.0-unstable.xxx
```
> **Important:** After adding the dependency, tell the user to run `yarn` to install it. Do NOT run `yarn` automatically — let the user do it.
**Step 1: Create the API config**
Create `extensions/auth0/MyAuth0Config.ts`:
```typescript
import { Auth0IdpConfig } from "@webiny/auth0";
class MyIdpConfig implements Auth0IdpConfig.Interface {
getIdentity(token: Auth0IdpConfig.JwtPayload) {
return {
id: String(token["sub"]),
displayName: token["name"],
roles: ["full-access"],
profile: {
firstName: token["given_name"],
lastName: token["family_name"],
email: token["email"]
},
context: {
canAccessTenant: true,
defaultTenant: "root"
}
};
}
}
const MyAuth0Config = Auth0IdpConfig.createImplementation({
implementation: MyIdpConfig,
dependencies: []
});
export default MyAuth0Config;
```
**Step 2: Create the extension component**
Create `extensions/auth0/MyAuth0Extension.tsx`:
```tsx
import React from "react";
import { Auth0 } from "@webiny/auth0";
export const MyAuth0Extension = () => {
return (
<Auth0
issuer={String(process.env.AUTH0_ISSUER)}
clientId={String(process.env.AUTH0_CLIENT_ID)}
apiConfig={import.meta.dirname + "/MyAuth0Config.ts"}
/>
);
};
```
**Step 3: Register in `webiny.config.tsx`**
```tsx
import React from "react";
import { MyAuth0Extension } from "./extensions/auth0/MyAuth0Extension.js";
export const Extensions = () => {
return (
<>
{/* Replace <Cognito /> with Auth0 */}
<MyAuth0Extension />
{/* ... other extensions ... */}
</>
);
};
```
**Step 4: Set environment variables**
Add to your `.env` file (or CI/CD environment):
```
AUTH0_ISSUER=https://your-tenant.auth0.com/
AUTH0_CLIENT_ID=your-auth0-client-id
```
**Step 5: Deploy**
```bash
yarn webiny deploy
```
### Example 2: Custom Claim Verification
If your Auth0 setup uses custom claims (e.g., via Auth0 Actions or Rules) that need validation:
```typescript
import { Auth0IdpConfig } from "@webiny/auth0";
class MyIdpConfig implements Auth0IdpConfig.Interface {
getIdentity(token: Auth0IdpConfig.JwtPayload) {
return {
id: String(token["sub"]),
displayName: token["name"],
roles: [token["https://webiny.com/role"]],
profile: {
firstName: token["given_name"],
lastName: token["family_name"],
email: token["email"]
},
context: {
canAccessTenant: true,
defaultTenant: "root"
}
};
}
verifyTokenClaims(token: Auth0IdpConfig.JwtPayload) {
// Reject tokens without the required custom claim
if (!token["https://webiny.com/role"]) {
throw new Error("Token is missing the 'https://webiny.com/role' claim.");
}
// Reject tokens from unauthorized organizations
if (token["org_id"] && token["org_id"] !== "org_expected") {
throw new Error("User does not belong to the authorized organization.");
}
}
}
const MyAuth0Config = Auth0IdpConfig.createImplementation({
implementation: MyIdpConfig,
dependencies: []
});
export default MyAuth0Config;
```
### Example 3: Using DI Dependencies in Config
If your config needs access to other Webiny services (e.g., to look up tenant-specific roles):
```typescript
import { Auth0IdpConfig } from "@webiny/auth0";
import { TenantContext } from "webiny/api/tenancy";
class MyIdpConfig implements Auth0IdpConfig.Interface {
constructor(private tenantContext: TenantContext.Interface) {}
getIdentity(token: Auth0IdpConfig.JwtPayload) {
const tenant = this.tenantContext.getTenant();
return {
id: String(token["sub"]),
displayName: token["name"],
roles: [token["https://webiny.com/role"]],
profile: {
firstName: token["given_name"],
lastName: token["family_name"],
email: token["email"]
},
context: {
canAccessTenant: true,
defaultTenant: tenant?.id ?? "root"
}
};
}
}
const MyAuth0Config = Auth0IdpConfig.createImplementation({
implementation: MyIdpConfig,
dependencies: [TenantContext]
});
export default MyAuth0Config;
```
## Quick Reference
### Imports
```typescript
// API config
import { Auth0IdpConfig } from "@webiny/auth0";
// Extension component
import { Auth0 } from "@webiny/auth0";
```
### Key Interfaces
| Interface | Package | Purpose |
| ----------------------------- | --------------- | -------------------------------- |
| `Auth0IdpConfig.Interface` | `@webiny/auth0` | API-side JWT-to-identity mapping |
| `Auth0IdpConfig.JwtPayload` | `@webiny/auth0` | JWT token payload type |
| `Auth0IdpConfig.IdentityData` | `@webiny/auth0` | Identity return type |
### File Structure
```
extensions/auth0/
├── MyAuth0Config.ts # API config (JWT claim mapping)
└── MyAuth0Extension.tsx # Extension component (Auth0 setup)
```
### Registration
In `webiny.config.tsx`, replace `<Cognito />` with `<MyAuth0Extension />`.
### Deploy
```bash
yarn webiny deploy # Deploy all (Core + API + Admin)
```
Both API and Admin need to be redeployed since Auth0 affects both the backend (token verification, identity mapping) and the frontend (login screen).
## Related Skills
- **webiny-configure-okta** — Alternative IDP: configuring Okta authentication
- **webiny-dependency-injection** — The universal DI pattern used by `Auth0IdpConfig.createImplementation()`
- **webiny-project-structure** — How `webiny.config.tsx` and extensions are organized
- **webiny-local-development** — Deploying and testing your Auth0 configurationRelated Skills
webiny-v5-to-v6-migration
Migration patterns for converting v5 Webiny code to v6 architecture. Use this skill when migrating existing v5 plugins to v6 features, converting context plugins to DI services, adapting v5 event subscriptions to v6 EventHandlers, or understanding how v5 patterns translate to v6. Targeted at AI agents performing migrations.
webiny-api-permissions
Schema-based permission system for API features. Use this skill when implementing authorization in use cases, defining permission schemas with createPermissionSchema, creating injectable permissions via createPermissionsAbstraction/createPermissionsFeature, checking read/write/delete/publish permissions, handling own-record scoping, or testing permission scenarios. Covers the full pattern from schema definition to use case integration to test matrices.
webiny-admin-permissions
Admin-side permission UI registration and DI-backed permission checking. Use this skill when adding permission controls to the admin UI — schema-based auto-generated forms, injectable permissions via createPermissionsAbstraction/ createPermissionsFeature, typed hooks (createUsePermissions), the HasPermission component (createHasPermission), and the Security.Permissions component props. Covers both simple apps and complex multi-entity permission schemas.
webiny-sdk
Using @webiny/sdk to read and write CMS data from external applications. Use this skill when the developer is building a Next.js, Vue, Node.js, or any external app that needs to fetch or write content to Webiny, set up the SDK, use the Result pattern, list/get/create/update/publish entries, filter and sort queries, use TypeScript generics for type safety, work with the File Manager, or create API keys programmatically. Covers read vs preview mode, the `values` wrapper requirement, correct method names, and the `fields` required parameter.
webiny-project-structure
Webiny project layout, webiny.config.tsx anatomy, and extension registration. Use this skill when the developer asks about folder structure, where custom code goes, how to register extensions, what webiny.config.tsx does, or how the project is organized. Also use when they need to understand the relationship between extensions/, webiny.config.tsx, and the different extension types (Api, Admin, Infra, CLI).
webiny-local-development
Deploying, developing locally, managing environments, and debugging Webiny projects. Use this skill when the developer asks about deployment commands (deploy, destroy, info), local development with watch mode (API or Admin), the Local Lambda Development system, environment management (long-lived vs short-lived, production vs dev modes), build parameters, state files, debugging API/Admin/Infrastructure errors, or the redeploy-after-watch requirement.
webiny-infrastructure-extensions
Modifying AWS infrastructure using Pulumi handlers and declarative Infra components. Use this skill when the developer wants to customize AWS infrastructure, add Pulumi handlers, configure OpenSearch, VPC, resource tags, regions, custom domains, blue-green deployments, environment-conditional config, or manage production vs development infrastructure modes. Covers CorePulumi.Interface, all <Infra.*> declarative components, and <Infra.Env.Is>.
webiny-infra-catalog
Infrastructure — 33 abstractions. Infrastructure extensions.
webiny-extensions-catalog
extensions — 5 abstractions.
webiny-cli-command-catalog
cli/command — 1 abstractions.
webiny-cli-catalog
cli — 2 abstractions.
webiny-api-tenant-manager-catalog
API — Tenant Manager — 2 abstractions. Tenant management event handlers and use cases.