Resource: auth0_connection

With Auth0, you can define sources of users, otherwise known as connections, which may include identity providers (such as Google or LinkedIn), databases, or passwordless authentication methods. This resource allows you to configure and manage connections to be used with your clients and users.

Example Usage

Auth0 Connection

# This is an example of an Auth0 connection.

resource "auth0_connection" "my_connection" {
  name                 = "Example-Connection"
  is_domain_connection = true
  strategy             = "auth0"
  metadata = {
    key1 = "foo"
    key2 = "bar"
  }

  options {
    password_policy                = "excellent"
    brute_force_protection         = true
    enabled_database_customization = true
    import_mode                    = false
    requires_username              = true
    disable_signup                 = false
    custom_scripts = {
      get_user = <<EOF
        function getByEmail(email, callback) {
          return callback(new Error("Whoops!"));
        }
      EOF
    }
    configuration = {
      foo = "bar"
      bar = "baz"
    }
    upstream_params = jsonencode({
      "screen_name" : {
        "alias" : "login_hint"
      }
    })

    password_history {
      enable = true
      size   = 3
    }

    password_no_personal_info {
      enable = true
    }

    password_dictionary {
      enable     = true
      dictionary = ["password", "admin", "1234"]
    }

    password_complexity_options {
      min_length = 12
    }

    validation {
      username {
        min = 10
        max = 40
      }
    }

    mfa {
      active                 = true
      return_enroll_settings = true
    }
  }
}
        function getByEmail(email, callback) {
          return callback(new Error("Whoops!"));
        }
      EOF
    }
    configuration = {
      foo = "bar"
      bar = "baz"
    }
    upstream_params = jsonencode({
      "screen_name" : {
        "alias" : "login_hint"
      }
    })

    password_history {
      enable = true
      size   = 3
    }

    password_no_personal_info {
      enable = true
    }

    password_dictionary {
      enable     = true
      dictionary = ["password", "admin", "1234"]
    }

    password_complexity_options {
      min_length = 12
    }

    validation {
      username {
        min = 10
        max = 40
      }
    }

    mfa {
      active                 = true
      return_enroll_settings = true
    }
  }
}

Google OAuth2 Connection

# This is an example of a Google OAuth2 connection.

resource "auth0_connection" "google_oauth2" {
  name     = "Google-OAuth2-Connection"
  strategy = "google-oauth2"

  options {
    client_id                = "<client-id>"
    client_secret            = "<client-secret>"
    allowed_audiences        = ["example.com", "api.example.com"]
    scopes                   = ["email", "profile", "gmail", "youtube"]
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

Google Apps

resource "auth0_connection" "google_apps" {
  name                 = "connection-google-apps"
  is_domain_connection = false
  strategy             = "google-apps"
  show_as_button       = false
  options {
    client_id        = ""
    client_secret    = ""
    domain           = "example.com"
    tenant_domain    = "example.com"
    domain_aliases   = ["example.com", "api.example.com"]
    api_enable_users = true
    scopes           = ["ext_profile", "ext_groups"]
    icon_url         = "https://example.com/assets/logo.png"
    upstream_params = jsonencode({
      "screen_name" : {
        "alias" : "login_hint"
      }
    })
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

Facebook Connection

# This is an example of a Facebook connection.

resource "auth0_connection" "facebook" {
  name     = "Facebook-Connection"
  strategy = "facebook"

  options {
    client_id     = "<client-id>"
    client_secret = "<client-secret>"
    scopes = [
      "public_profile",
      "email",
      "groups_access_member_info",
      "user_birthday"
    ]
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

Apple Connection

# This is an example of an Apple connection.

resource "auth0_connection" "apple" {
  name     = "Apple-Connection"
  strategy = "apple"

  options {
    client_id                = "<client-id>"
    client_secret            = "-----BEGIN PRIVATE KEY-----\nMIHBAgEAMA0GCSqGSIb3DQEBAQUABIGsMIGpAgEAA\n-----END PRIVATE KEY-----"
    team_id                  = "<team-id>"
    key_id                   = "<key-id>"
    scopes                   = ["email", "name"]
    set_user_root_attributes = "on_first_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

LinkedIn Connection

# This is an example of an LinkedIn connection.

resource "auth0_connection" "linkedin" {
  name     = "Linkedin-Connection"
  strategy = "linkedin"

  options {
    client_id                = "<client-id>"
    client_secret            = "<client-secret>"
    strategy_version         = 2
    scopes                   = ["basic_profile", "profile", "email"]
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

GitHub Connection

# This is an example of an GitHub connection.

resource "auth0_connection" "github" {
  name     = "GitHub-Connection"
  strategy = "github"

  options {
    client_id                = "<client-id>"
    client_secret            = "<client-secret>"
    scopes                   = ["email", "profile", "public_repo", "repo"]
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

SalesForce Connection

# This is an example of an SalesForce connection.

resource "auth0_connection" "salesforce" {
  name     = "Salesforce-Connection"
  strategy = "salesforce"

  options {
    client_id                = "<client-id>"
    client_secret            = "<client-secret>"
    community_base_url       = "https://salesforce.example.com"
    scopes                   = ["openid", "email"]
    set_user_root_attributes = "on_first_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

OAuth2 Connection

Also applies to following connection strategies: dropbox, bitbucket, paypal, twitter, amazon, yahoo, box, wordpress, shopify, custom

# This is an example of an OAuth2 connection.

resource "auth0_connection" "oauth2" {
  name     = "OAuth2-Connection"
  strategy = "oauth2"

  options {
    client_id              = "<client-id>"
    client_secret          = "<client-secret>"
    scopes                 = ["basic_profile", "profile", "email"]
    token_endpoint         = "https://auth.example.com/oauth2/token"
    authorization_endpoint = "https://auth.example.com/oauth2/authorize"
    pkce_enabled           = true
    icon_url               = "https://auth.example.com/assets/logo.png"
    scripts = {
      fetchUserProfile = <<EOF
        function fetchUserProfile(accessToken, context, callback) {
          return callback(new Error("Whoops!"));
        }
      EOF
    }
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}
        function fetchUserProfile(accessToken, context, callback) {
          return callback(new Error("Whoops!"));
        }
      EOF
    }
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

Active Directory (AD)

resource "auth0_connection" "ad" {
  name           = "connection-active-directory"
  display_name   = "Active Directory Connection"
  strategy       = "ad"
  show_as_button = true

  options {
    disable_self_service_change_password = true
    brute_force_protection               = true
    tenant_domain                        = "example.com"
    icon_url                             = "https://example.com/assets/logo.png"
    domain_aliases = [
      "example.com",
      "api.example.com"
    ]
    ips                      = ["192.168.1.1", "192.168.1.2"]
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
    upstream_params = jsonencode({
      "screen_name" : {
        "alias" : "login_hint"
      }
    })
    use_cert_auth = false
    use_kerberos  = false
    disable_cache = false
  }
}

Azure AD Connection

resource "auth0_connection" "azure_ad" {
  name           = "connection-azure-ad"
  strategy       = "waad"
  show_as_button = true
  options {
    identity_api  = "azure-active-directory-v1.0"
    client_id     = "123456"
    client_secret = "123456"
    app_id        = "app-id-123"
    tenant_domain = "example.onmicrosoft.com"
    domain        = "example.onmicrosoft.com"
    domain_aliases = [
      "example.com",
      "api.example.com"
    ]
    icon_url               = "https://example.onmicrosoft.com/assets/logo.png"
    use_wsfed              = false
    waad_protocol          = "openid-connect"
    waad_common_endpoint   = false
    max_groups_to_retrieve = 250
    api_enable_users       = true
    scopes = [
      "basic_profile",
      "ext_groups",
      "ext_profile"
    ]
    set_user_root_attributes               = "on_each_login"
    should_trust_email_verified_connection = "never_set_emails_as_verified"
    upstream_params = jsonencode({
      "screen_name" : {
        "alias" : "login_hint"
      }
    })
    non_persistent_attrs = ["ethnicity", "gender"]
  }
}

SMS Connection

# This is an example of an SMS connection.

resource "auth0_connection" "sms" {
  name     = "SMS-Connection"
  strategy = "sms"

  options {
    name                   = "SMS OTP"
    twilio_sid             = "<twilio-sid>"
    twilio_token           = "<twilio-token>"
    from                   = "<phone-number>"
    syntax                 = "md_with_macros"
    template               = "Your one-time password is @@password@@"
    messaging_service_sid  = "<messaging-service-sid>"
    disable_signup         = false
    brute_force_protection = true
    forward_request_info   = true

    totp {
      time_step = 300
      length    = 6
    }

    provider    = "sms_gateway"
    gateway_url = "https://somewhere.com/sms-gateway"
    gateway_authentication {
      method                = "bearer"
      subject               = "test.us.auth0.com:sms"
      audience              = "https://somewhere.com/sms-gateway"
      secret                = "4e2680bb72ec2ae24836476dd37ed6c2"
      secret_base64_encoded = false
    }
  }
}

# This is an example of an SMS connection with a custom SMS gateway.

resource "auth0_connection" "sms" {
  name                 = "custom-sms-gateway"
  is_domain_connection = false
  strategy             = "sms"

  options {
    disable_signup         = false
    name                   = "sms"
    from                   = "+15555555555"
    syntax                 = "md_with_macros"
    template               = "@@password@@"
    brute_force_protection = true
    provider               = "sms_gateway"
    gateway_url            = "https://somewhere.com/sms-gateway"
    forward_request_info   = true

    totp {
      time_step = 300
      length    = 6
    }

    gateway_authentication {
      method                = "bearer"
      subject               = "test.us.auth0.com:sms"
      audience              = "https://somewhere.com/sms-gateway"
      secret                = "4e2680bb74ec2ae24736476dd37ed6c2"
      secret_base64_encoded = false
    }
  }
}

Email Connection

# This is an example of an Email connection.

resource "auth0_connection" "passwordless_email" {
  strategy = "email"
  name     = "email"

  options {
    name                     = "email"
    from                     = "{{ application.name }} \u003croot@auth0.com\u003e"
    subject                  = "Welcome to {{ application.name }}"
    syntax                   = "liquid"
    template                 = "<html>This is the body of the email</html>"
    disable_signup           = false
    brute_force_protection   = true
    set_user_root_attributes = "on_each_login"
    non_persistent_attrs     = []
    auth_params = {
      scope         = "openid email profile offline_access"
      response_type = "code"
    }

    totp {
      time_step = 300
      length    = 6
    }
  }
}

SAML Connection

# This is an example of a SAML connection.

resource "auth0_connection" "samlp" {
  name     = "SAML-Connection"
  strategy = "samlp"

  options {
    debug               = false
    signing_cert        = "<signing-certificate>"
    sign_in_endpoint    = "https://saml.provider/sign_in"
    sign_out_endpoint   = "https://saml.provider/sign_out"
    disable_sign_out    = true
    tenant_domain       = "example.com"
    domain_aliases      = ["example.com", "alias.example.com"]
    protocol_binding    = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    request_template    = "<samlp:AuthnRequest xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\"\n@@AssertServiceURLAndDestination@@\n    ID=\"@@ID@@\"\n    IssueInstant=\"@@IssueInstant@@\"\n    ProtocolBinding=\"@@ProtocolBinding@@\" Version=\"2.0\">\n    <saml:Issuer xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">@@Issuer@@</saml:Issuer>\n</samlp:AuthnRequest>"
    user_id_attribute   = "https://saml.provider/imi/ns/identity-200810"
    signature_algorithm = "rsa-sha256"
    digest_algorithm    = "sha256"
    icon_url            = "https://saml.provider/assets/logo.png"
    entity_id           = "<entity_id>"
    metadata_xml        = <<EOF
    <?xml version="1.0"?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com">
      <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.provider/sign_out"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.provider/sign_in"/>
      </md:IDPSSODescriptor>
    </md:EntityDescriptor>
    EOF
    metadata_url        = "https://saml.provider/imi/ns/FederationMetadata.xml" # Use either metadata_url or metadata_xml, but not both.

    fields_map = jsonencode({
      "name" : ["name", "nameidentifier"]
      "email" : ["emailaddress", "nameidentifier"]
      "family_name" : "surname"
    })

    signing_key {
      key  = "-----BEGIN PRIVATE KEY-----\n...{your private key here}...\n-----END PRIVATE KEY-----"
      cert = "-----BEGIN CERTIFICATE-----\n...{your public key cert here}...\n-----END CERTIFICATE-----"
    }

    decryption_key {
      key  = "-----BEGIN PRIVATE KEY-----\n...{your private key here}...\n-----END PRIVATE KEY-----"
      cert = "-----BEGIN CERTIFICATE-----\n...{your public key cert here}...\n-----END CERTIFICATE-----"
    }

    idp_initiated {
      client_id              = "client_id"
      client_protocol        = "samlp"
      client_authorize_query = "type=code&timeout=30"
    }
  }
}
    <?xml version="1.0"?>
    <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://example.com">
      <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.provider/sign_out"/>
        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://saml.provider/sign_in"/>
      </md:IDPSSODescriptor>
    </md:EntityDescriptor>
    EOF
    metadata_url        = "https://saml.provider/imi/ns/FederationMetadata.xml" # Use either metadata_url or metadata_xml, but not both.

    fields_map = jsonencode({
      "name" : ["name", "nameidentifier"]
      "email" : ["emailaddress", "nameidentifier"]
      "family_name" : "surname"
    })

    signing_key {
      key  = "-----BEGIN PRIVATE KEY-----\n...{your private key here}...\n-----END PRIVATE KEY-----"
      cert = "-----BEGIN CERTIFICATE-----\n...{your public key cert here}...\n-----END CERTIFICATE-----"
    }

    decryption_key {
      key  = "-----BEGIN PRIVATE KEY-----\n...{your private key here}...\n-----END PRIVATE KEY-----"
      cert = "-----BEGIN CERTIFICATE-----\n...{your public key cert here}...\n-----END CERTIFICATE-----"
    }

    idp_initiated {
      client_id              = "client_id"
      client_protocol        = "samlp"
      client_authorize_query = "type=code&timeout=30"
    }
  }
}

WindowsLive Connection

# This is an example of a WindowsLive connection.

resource "auth0_connection" "windowslive" {
  name     = "Windowslive-Connection"
  strategy = "windowslive"

  options {
    client_id                = "<client-id>"
    client_secret            = "<client-secret>"
    strategy_version         = 2
    scopes                   = ["signin", "graph_user"]
    set_user_root_attributes = "on_first_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
  }
}

OIDC Connection

# This is an example of an OIDC connection.

resource "auth0_connection" "oidc" {
  name           = "oidc-connection"
  display_name   = "OIDC Connection"
  strategy       = "oidc"
  show_as_button = false

  options {
    client_id                = "1234567"
    client_secret            = "1234567"
    domain_aliases           = ["example.com"]
    tenant_domain            = ""
    icon_url                 = "https://example.com/assets/logo.png"
    type                     = "back_channel"
    issuer                   = "https://www.paypalobjects.com"
    jwks_uri                 = "https://api.paypal.com/v1/oauth2/certs"
    discovery_url            = "https://www.paypalobjects.com/.well-known/openid-configuration"
    token_endpoint           = "https://api.paypal.com/v1/oauth2/token"
    userinfo_endpoint        = "https://api.paypal.com/v1/oauth2/token/userinfo"
    authorization_endpoint   = "https://www.paypal.com/signin/authorize"
    scopes                   = ["openid", "email"]
    set_user_root_attributes = "on_first_login"
    non_persistent_attrs     = ["ethnicity", "gender"]

    connection_settings {
      pkce = "auto"
    }

    attribute_map {
      mapping_mode   = "use_map"
      userinfo_scope = "openid email profile groups"
      attributes = jsonencode({
        "name" : "$${context.tokenset.name}",
        "email" : "$${context.tokenset.email}",
        "email_verified" : "$${context.tokenset.email_verified}",
        "nickname" : "$${context.tokenset.nickname}",
        "picture" : "$${context.tokenset.picture}",
        "given_name" : "$${context.tokenset.given_name}",
        "family_name" : "$${context.tokenset.family_name}"
      })
    }
  }
}

Okta Connection

# This is an example of an Okta Workforce connection.

resource "auth0_connection" "okta" {
  name           = "okta-connection"
  display_name   = "Okta Workforce Connection"
  strategy       = "okta"
  show_as_button = false

  options {
    client_id                = "1234567"
    client_secret            = "1234567"
    domain                   = "example.okta.com"
    domain_aliases           = ["example.com"]
    issuer                   = "https://example.okta.com"
    jwks_uri                 = "https://example.okta.com/oauth2/v1/keys"
    token_endpoint           = "https://example.okta.com/oauth2/v1/token"
    userinfo_endpoint        = "https://example.okta.com/oauth2/v1/userinfo"
    authorization_endpoint   = "https://example.okta.com/oauth2/v1/authorize"
    scopes                   = ["openid", "email"]
    set_user_root_attributes = "on_first_login"
    non_persistent_attrs     = ["ethnicity", "gender"]
    upstream_params = jsonencode({
      "screen_name" : {
        "alias" : "login_hint"
      }
    })

    connection_settings {
      pkce = "auto"
    }

    attribute_map {
      mapping_mode   = "basic_profile"
      userinfo_scope = "openid email profile groups"
      attributes = jsonencode({
        "name" : "$${context.tokenset.name}",
        "email" : "$${context.tokenset.email}",
        "email_verified" : "$${context.tokenset.email_verified}",
        "nickname" : "$${context.tokenset.nickname}",
        "picture" : "$${context.tokenset.picture}",
        "given_name" : "$${context.tokenset.given_name}",
        "family_name" : "$${context.tokenset.family_name}"
      })
    }
  }
}

Schema

Required

Optional

Read-Only

Nested Schema for options

Optional:

Nested Schema for options.attribute_map

Required:

Optional:

Nested Schema for options.connection_settings

Required:

Nested Schema for options.decryption_key

Required:

Nested Schema for options.gateway_authentication

Optional:

Nested Schema for options.idp_initiated

Optional:

Nested Schema for options.mfa

Optional:

Nested Schema for options.password_complexity_options

Optional:

Nested Schema for options.password_dictionary

Optional:

Nested Schema for options.password_history

Optional:

Nested Schema for options.password_no_personal_info

Optional:

Nested Schema for options.signing_key

Required:

Nested Schema for options.totp

Optional:

Nested Schema for options.validation

Optional:

Nested Schema for options.validation.username

Optional:

Import

Import is supported using the following syntax:

# This resource can be imported by specifying the connection ID.
#
# Example:
terraform import auth0_connection.google "con_a17f21fdb24d48a0"