ACUL Deployment Workflow

To follow this workflow, make sure you have:

An Auth0 development tenant configured with Universal Login and a custom domain.
An Auth0 First Party Application
Identifier First Authentication enabled in your Auth0 tenant.
An AWS account with permissions to create IAM roles, S3 buckets, and configure CloudFront
A GitHub repository containing your custom login screens

The ACUL production deployment workflow builds and deploys your ACUL screens and configures your tenant to use them. It uses GitHub Actions to:

Build your screen asset bundles
- The workflow reads the config/deploy_config.yml file to determine which screens are marked for deployment.
- If deployment targets are found, the workflow builds your ACUL assets, by using Vite and comping the code into the /dist directory.
Upload your assets to AWS S3
- The workflow securely authenticates with AWS using OpenID Connect (OIDC).
- It uploads the contents of the /dist directory to your S3 bucket.
Configure your Auth0 tenant
- The workflow uses Auth0 CLI with a M2M application to configure the screens in your tenant.
- It maps each screen to the correct Auth0 screen using the config/screen-to-prompt-mapping.js file.
- It updates the Auth0 screen customization settings to point to your assets at CloudFront CDN.

Once configured, a git push to the main branch of your project starts the GitHub workflow.

To read a complete example of the ACUL production deployment workflow, read ACUL GITHUB ACTIONS on Github.

Create a Machine-to-Machine application to grant permissions to the GitHub workflow to update your tenant settings.

Navigate to Auth0 Dashboard > Applications.
Select Create Application.
Select Machine to Machine Applications.
Under Name, add a descriptive name, for example: GitHub ACUL Deployment.
Select Create.
Under Authorize Machine to Machine Application, select Auth0 Management API.
Select these specific permissions:
- read:branding
- update:branding
- read:prompts
- update:prompts
- read:custom_domains
Select Authorize.
Navigate to the Settings tab and note down:
- Domain
- Client ID
- Client Secret

To upload and serve your assets, you need an AWS S3 bucket and to set CloudFront as the CDN.

Create an AWS S3 Bucket. Block all public access so this bucket is private. This private bucket stores your assets.
Set Up a CloudFront Distribution. This CDN securely serves your assets. It should be configured to use your S3 bucket as its Origin using Origin Access Control (OAC).

Create an IAM Role in AWS to grant GitHub Actions permission to upload files to AWS S3.

This IAM role must use Web Identity (OIDC), trusting token.actions.githubusercontent.com.
The role needs a policy granting s3:PutObject, s3:DeleteObject, and s3:ListBucket permissions on your S3 bucket.

To configure your GitHub repository:

Add the following repository secrets:

AWS_S3_ARN: The ARN of the IAM role you created.
S3_BUCKET_NAME: The name of your S3 bucket.
AWS_REGION: The region where your S3 bucket is located. For example, us-east-1.
S3_CDN_URL: Your CloudFront distribution’s domain name. Do not add a trailing slash. For example, https://d1234abcdef.cloudfront.net.
AUTH0_DOMAIN: Your Auth0 tenant domain.
AUTH0_CLIENT_ID: The Client ID from your M2M application.
AUTH0_CLIENT_SECRET: The Client Secret from your M2M application.

You can control which screens are deployed by editing the configuration files located in the .github/config/ directory:

config/deploy_config.yml: Your main control panel. Set a screen to true to deploy it or false to skip it.
config/screen-to-prompt-mapping.js: Maps your internal screen directory names. Example: mfa-sms-challenge to the official Auth0 prompt name mfa-sms.
config/context-configuration.js: Defines Auth0 context data. Example: branding settings should be made available to your custom screens.