Delegated Administration Extension v3

Auth0 recommends that you use the Tenant Members settings to designate tenant usage capabilities to other users and admins in your organization. To learn more, read Dashboard Access.

The Delegated Administration Extension (DAE) allows you to grant administrative permissions to a select group of people without providing access to any other area.

Configure the DAE

To configure the DAE, you must:

  1. Register the application with Auth0

  2. Create a database connection

  3. Disable all other connections for the Auth0 Application

  4. Create users for database connection

  5. Assign roles to users

  6. Install and configure the extension

  7. Use the extension

Register the application with Auth0

Create the Application that the Delegated Administration Extension will expose to those who should have administrative privileges for the Users page. To do this, create a delegated admin application in Auth0.

When finished, note the application's Client ID.

Create a database connection

In this example, a database connection will serve as the source of your users who are allowed access to the Users area. To configure this, create a database connection.

While setting up your connection:

  • Use a fitting connection name, such as HelpDesk.

  • Enable the Disable Sign Ups toggle. For security purposes, this ensures that even users who have the link to the database connection cannot sign themselves up.

Disable all other connections for the Auth0 application

By default, Auth0 enables all connections associated with your tenant when you create a new Application. For this example, disable all connections other than your newly-created database connection. This helps keep the application secure because no one can add themselves using one of your existing connections.

To configure this, update application connections.

Create users for the database connection

To continue, you must create at least one user and attach it to your connection.

Assign roles to users

Although the Delegated Administration Extension (DAE) and the Authorization Core feature set are completely separate features, you can use the Authorization Core feature set to create and manage roles for the DAE if you use a rule. To learn how, see Sample Use Cases: Rules with Authorization.

Auth0 grants access to the Delegated Administration Extension (DAE) for the user(s) attached to your connection based on their roles. These are DAE-specific roles:

This role... Grants permission to...
Delegated Admin - User Search for users, create users, open users, and execute actions on users (such as delete or block).
Delegated Admin - Administrator: Do everything that the Delegated Admin - User can, plus see all logs in the tenant and configure Hooks.
Delegated Admin - Auditor Search for users and view user information, but not make changes. Action-based buttons are not visible to this role.
Delegated Admin - Operator Access user management and logs, but not the extension configuration section.

When working with roles, we recommend that you use the Authorization Core feature set:

  1. Create DAE roles. The names of the roles you create must match the names of the pre-defined DAE roles above.

  2. Assign DAE roles to a user manually.

  3. Add user roles to the DAE namespace in the ID Token using this rule:

    function (user, context, callback) {
        if (context.clientID === 'CLIENT_ID') {
            const namespace = 'https://example.com/auth0-delegated-admin';
            context.idToken[namespace] = {
                roles: (context.authorization || {}).roles
            };
        }
        callback(null, user, context);
    }
    

Remember to replace the CLIENT_ID placeholder with your delegated admin application's Client ID.

To learn more about creating rules, see Create rules.

Auth0 returns profile information in a structured claim format as defined by the OpenID Connect (OIDC) specification. This means that custom claims added to ID Tokens or Access Tokens must conform to a namespaced format to avoid possible collisions with standard OIDC claims.

Using Authorization Core will define roles in the context.authorization object.

If you choose not to use Authorization Core, you should define DAE roles in one of the following fields on the user profile:

  • user.app_metadata.roles

  • user.app_metadata.authorization.roles

Install and configure the extension

Now that we've created and configured an application, a connection, and our user, we can install and configure the Delegated Admin Extension itself.

Use the extension

Once installed, you are ready to use the Delegated Admin Extension.

Navigate to the extension using the appropriate login link for your region and your tenant's extensibility runtime.

Location Name Allowed Callback URL for Node.js 12
USA US-1 https://YOUR_TENANT.us12.webtask.io/auth0-delegated-admin/login
USA US-3 https://YOUR_TENANT.us.webtask.run/auth0-delegated-admin/login
Australia AU https://YOUR_TENANT.au12.webtask.io/auth0-delegated-admin/login
Europe EU https://YOUR_TENANT.eu12.webtask.io/auth0-delegated-admin/login
Japan JP-1 https://YOUR_TENANT.jp.webtask.run/auth0-delegated-admin/login
Location Name Allowed Callback URL for Node.js 8
USA US-1 https://YOUR_TENANT.us8.webtask.io/auth0-sso-dashboard/admins/login
Europe EU https://YOUR_TENANT.eu8.webtask.io/auth0-sso-dashboard/admins/login
Australia AU https://YOUR_TENANT.au8.webtask.io/auth0-sso-dashboard/admins/login

A new tab opens, displaying the login prompt.

Extensions - Delegated Admin - Login prompt

Because (in this example) we disabled signups for the database connection while configuring it, the login screen does not display a Sign Up option. Once you provide valid credentials, Auth0 directs you to your custom Delegated Administration Dashboard page, which has the Title you provided at the top of the page and (if you provided a custom CSS file), your design.

Extensions - Delegated Admin - Standard dashboard

Delegated Administration Session Timeout

By default, token expiration time is 10 hours. However, for security reasons, when using Delegated Administration, Auth0 doesn't save a token to cookies or sessionStorage. You must start a new session on each page reload.

Learn more