Adding a generic OAuth1 Authorization Server to Auth0

The most common identity providers are available on Auth0's dashboard. However, you can add any OAuth1 Authorization Server to Auth0 as an identity provider.

To create an arbitrary OAuth1 connection, you use Auth0's Connections API.

This example would create a custom Twitter connection:

curl -X POST
     -H "Content-Type: application/json"
     -H 'Authorization: Bearer YOUR_MANAGEMENT_API_TOKEN'
     -d @twitter.json https://YOUR_DOMAIN/api/v2/connections

Replace YOUR_MANAGEMENT_API_TOKEN with a valid token. For info on how to get one, see Access Tokens for the Management API.

  "name": "custom-twitter",
  "strategy": "oauth1",
  "options": {
    "client_id": "YOUR_TWITTER_CLIENT_ID",
    "client_secret": "YOUR_TWITTER_CLIENT_SECRET",
    "requestTokenURL": "",
    "accessTokenURL": "",
    "userAuthorizationURL": "",
    "scripts": {
      "fetchUserProfile": "function (token, tokenSecret, ctx, cb) {var OAuth = new require('oauth').OAuth;var oauth = new OAuth(ctx.requestTokenURL,ctx.accessTokenURL,ctx.client_id,ctx.client_secret,'1.0',null,'HMAC-SHA1');oauth.get('' + ctx.user_id,token,tokenSecret,function(e, b, r) {if (e) return cb(e);if (r.statusCode !== 200) return cb(new Error('StatusCode: ' + r.statusCode));cb(null, JSON.parse(b));});}"

The key parameters for a connection are:

  • name: this is how the connection can be referenced later on in Auth0 or in your app.
  • strategy: this must be oauth1. It defines the protocol implemented by the provider.

The options object:

  • client_id and client_secret must be obtained from your provider.
  • requestTokenURL:
  • accessTokenURL:
  • userAuthorizationURL:
  • fetchUserProfile: Auth0 allows you to define a custom script that returns a JSON object with user info. What you do in the script is up to you. For convenience, the OAuth module is included to simplify OAuth1 calls.

The script will have the following signature:

function(token, tokenSecret, ctx, callback){

  var profile = {
    user_id: '123',
    given_name: 'Eugenio',
    family_name: 'Pace',
    email: ''

  callback(null, profile);

The token and tokenSecret parameters will often be used for authenticating requests to the provider's API.

We recommend using the field names in the normalized profile.

Notice that you can manipulate the profile returned from the provider to filter/remove/add anything in it. However, we recommend you keep this script as simple as possible. More sophisticated manipulation of the user information can be achieved through Rules.

One advantage of using Rules is that they apply to any connection.

Using your new connection

You can use any of the Auth0 standard mechanisms to login a user with the new connection (such as direct links, Auth0 Lock, auth0.js, and so on).

A direct link would look like:


Keep reading