Deploys an Auth0 Application (Client) with configurable OAuth flows, token settings, and optional API access grants. Supports all four Auth0 application types — native, SPA, regular web, and machine-to-machine — with full control over callbacks, refresh token behavior, JWT signing, and organization-aware authentication.
What Gets Created
When you deploy an Auth0Client resource, OpenMCF provisions:
Auth0 Client (Application) — an auth0_client resource configured with the specified application type, OAuth settings, URL allowlists, and optional JWT/refresh token configuration
Client Grants — created only when apiGrants is configured, one auth0_client_grant resource per entry authorizing this client to call the specified API with the listed scopes
Prerequisites
Auth0 credentials configured via environment variables (AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET) or OpenMCF provider config
An Auth0 tenant with sufficient application quota
An Auth0 Resource Server if configuring apiGrants to authorize API access
An Auth0 Connection if restricting the client to specific connections via enabledConnections
This creates a Single Page Application in Auth0 with default OAuth settings and OIDC-conformant behavior.
Configuration Reference
Required Fields
Field
Type
Description
Validation
applicationType
string
The type of Auth0 application. Determines which OAuth flows and security settings apply.
Must be one of: native, spa, regular_web, non_interactive
Optional Fields
General
Field
Type
Default
Description
description
string
""
Free-text description of the application. Maximum 140 characters.
logoUri
string
""
URL of the application logo, displayed on consent and login pages.
clientMetadata
map<string, string>
{}
Custom metadata key-value pairs for application-specific configuration. Maximum 10 pairs.
clientAliases
string[]
[]
Alternative identifiers for this client, usable in authentication requests instead of client_id.
URL Configuration
Field
Type
Default
Description
callbacks
string[]
[]
Allowed callback URLs. Auth0 redirects here after authentication. Include both development and production URLs.
allowedLogoutUrls
string[]
[]
URLs that Auth0 can redirect to after logout.
webOrigins
string[]
[]
Allowed origins for web message response mode. Required for SPAs using popup or iframe-based authentication.
allowedOrigins
string[]
[]
CORS origins allowed for cross-origin requests from JavaScript applications.
OAuth & Authentication
Field
Type
Default
Description
grantTypes
string[]
per app type
OAuth grant types this application can use. Common values: authorization_code, implicit, refresh_token, client_credentials, password. If not specified, defaults are based on applicationType.
oidcConformant
bool
false
Enables stricter OIDC-conformant behavior. Recommended for new applications.
isFirstParty
bool
false
Marks this as a first-party application. First-party apps skip the user consent prompt.
crossOriginAuthentication
bool
false
Enables cross-origin authentication for embedded login forms in SPAs.
crossOriginLoc
string
""
URL for cross-origin verification fallback. Used with crossOriginAuthentication for certain browsers.
sso
bool
false
Enables Single Sign-On. Users already logged in won't need to re-authenticate.
ssoDisabled
bool
false
Explicitly disables SSO, requiring authentication for each session.
isTokenEndpointIpHeaderTrusted
bool
false
When true, Auth0 uses the X-Forwarded-For header for IP-based features.
Login & Organization
Field
Type
Default
Description
customLoginPage
string
""
Custom HTML for the login page. Only used when customLoginPageOn is true.
customLoginPageOn
bool
false
Enables the custom login page instead of Universal Login.
initiateLoginUri
string
""
URL to initiate login for OIDC third-party initiated login flows.
organizationUsage
string
""
How organizations are used with this app. Values: deny, allow, require.
organizationRequireBehavior
string
""
When organizationUsage is require, determines prompt behavior. Values: no_prompt, pre_login_prompt, post_login_prompt.
JWT Configuration (jwtConfiguration)
Field
Type
Default
Description
jwtConfiguration.lifetimeInSeconds
int32
36000
JWT expiration time in seconds. Range: 0–2592000 (30 days).
URLs to receive logout tokens. Auth0 POSTs a logout token to these URLs on logout.
Connections (enabledConnections)
Field
Type
Default
Description
enabledConnections
StringValueOrRef[]
[]
Limits which Auth0 connections this application can use. If empty, all connections are available. Can reference Auth0Connection resources via valueFrom.
API Grants (apiGrants)
Field
Type
Default
Description
apiGrants[].audience
StringValueOrRef
—
API identifier (Resource Server identifier) this client is authorized to access. Required per grant entry. Can reference Auth0ResourceServer resources via valueFrom.
apiGrants[].scopes
string[]
[]
Permissions granted for this API. If empty, the client gets access with no specific scopes.
apiGrants[].allowAnyOrganization
bool
false
Whether any organization can be used with this grant. Only relevant when using Auth0 Organizations.
apiGrants[].organizationUsage
string
""
Whether organizations can be used with client credentials exchanges. Values: deny, allow, require.
Examples
SPA with Callback URLs
A Single Page Application with development and production callback URLs:
After deployment, the following outputs are available in status.outputs:
Output
Type
Description
id
string
Internal Auth0 identifier for the client
client_id
string
OAuth 2.0 client identifier. Safe to expose in client-side code.
client_secret
string
OAuth 2.0 client secret. Only available for regular_web and non_interactive application types. Keep secure — never expose in client-side code.
name
string
Name of the application, derived from metadata.name
application_type
string
Application type (native, spa, regular_web, non_interactive)
signing_keys
Auth0SigningKey[]
Signing keys for RS256 token signature verification. Each key contains cert, pkcs7, subject, and thumbprint fields.
callback_url_template
string
Whether callback URL templating is enabled
allowed_clients
string[]
Clients allowed to perform delegation for this client
global
string
Whether this is the tenant's global (default) client
token_endpoint_auth_method
string
Authentication method for the token endpoint (e.g., none, client_secret_post, client_secret_basic)
Related Components
Auth0ResourceServer — defines the APIs that this client can be authorized to access via apiGrants
Auth0Connection — provides authentication connections that can be linked via enabledConnections
Auth0EventStream — streams authentication events from the Auth0 tenant
Next article
Auth0 Connection
Auth0 Connection Deploys an Auth0 Connection that bridges Auth0 with an identity source, enabling users to authenticate via databases, social providers (Google, Facebook, GitHub), or enterprise identity providers (SAML, OIDC, Azure AD/Entra ID). Each connection is configured with a single strategy and its corresponding provider-specific options, then linked to one or more Auth0 applications. What Gets Created When you deploy an Auth0Connection resource, OpenMCF provisions: Auth0 Connection — an...