SCENARIO 08 CIAM Auth0 OAuth2 / OIDC

CIAM Login Platform with Auth0

A new customer-facing SaaS app needed a dedicated identity platform — separate from the corporate Entra ID directory. Auth0 was deployed as an isolated CIAM tenant with Universal Login, Google social federation, Email OTP MFA, and OAuth2-protected API endpoints validated end-to-end.

Auth0 OIDC OAuth2 JWT Google Federation MFA Python

Business Problem

IDSentinel Solutions was onboarding a new customer-facing SaaS application requiring a secure, branded login experience for external customers. Without a dedicated CIAM platform, customer accounts would need to be provisioned inside the corporate Entra ID tenant — co-mingling external users with employees, violating data separation principles, and creating an unscalable support burden.

The IAM team was tasked with designing and deploying a Customer Identity and Access Management (CIAM) platform using Auth0 — a dedicated external identity tenant fully isolated from the corporate Entra ID environment.

Risk

  • Customer identities co-mingled with employee accounts — violates least-privilege and data separation principles
  • No self-service registration or password reset — support desk handles all customer access requests
  • Username/password only — no MFA path for customer accounts creates credential stuffing exposure
  • No token-based API protection — customer-facing endpoints unauthenticated or using insecure API key patterns
  • No customer authentication audit trail — compliance exposure under SOC 2 Type II

Scope

FieldDetail
Affected populationExternal SaaS customers — fully isolated from employee and contractor accounts
Identity platformAuth0 (dedicated CIAM tenant)
ProtocolsOIDC, OAuth2 — Universal Login and client credentials flow
Identity providersAuth0 database connection + Google social federation
MFAEmail OTP — Always policy, enforced on every sign-in
API protectionBearer JWT scoped to read:data, audience https://api.idsentinel.com
Compliance targetSOC 2 Type II

Solution Design — 4 Workstreams

WS 1

Auth0 Tenant and Application Registration

Dedicated Auth0 tenant provisioned as an isolated CIAM directory. Web application and protected API registered separately.

WS 2

Universal Login and Custom Branding

Auth0 Universal Login configured as the hosted authentication endpoint. Custom branding applied. Self-service sign-up and password reset enabled.

WS 3

Google Social Identity Federation

Google configured as an external OIDC identity provider. Auth0 maps Google claims to the local customer profile — customers not dependent on Google remaining their IdP.

WS 4

API Protection with OAuth2

Protected API registered with custom read:data scope. Client credentials flow used to issue scoped JWT access tokens validated against a protected endpoint.

Key design decision: Universal Login over embedded login — Auth0's recommended security pattern. Prevents credential interception at the application layer. JWT access tokens scoped to API audience https://api.idsentinel.com — tokens cannot be replayed against other services.

// diagrams/ciam-auth0-architecture.png — CIAM platform architecture diagram expand
CIAM platform architecture diagram

Implementation

  • 01

    Provision Auth0 Tenant + Register Applications

    Dedicated Auth0 tenant created — customer-only identity space, no employee accounts, no CA policies, no group memberships. Web app IDSentinel-CustomerApp and API IDSentinel-CustomerAPI registered with identifier https://api.idsentinel.com and custom read:data permission scope.

    // 01-auth0-tenant-dashboard expand
    Dedicated Auth0 tenant provisioned
    // 02-app-registration-auth0 expand
    Web application registered in Auth0
    // 03-api-registration-auth0 expand
    Protected API registered with read:data scope
  • 02

    Configure Universal Login and Branding

    New Universal Login experience enabled. IDSentinel logo, primary color, and background applied. Self-service sign-up tested end-to-end — customer account created and confirmed in Auth0 user store with identity provider listed as auth0.

    // 04-universal-login-config expand
    Universal Login configured — new experience enabled
    // 05-custom-branding expand
    IDSentinel branding applied to Universal Login
    // 06-signup-signin-test expand
    Self-service sign-up and sign-in flow validated
    // 07-user-created-auth0 expand
    Customer account confirmed in Auth0 user store
  • 03

    Configure Google Social Federation

    Google Cloud project created with OAuth2 consent screen and OAuth2 Client ID. Auth0 callback URL registered as an authorized redirect URI. Google social connection enabled on IDSentinel-CustomerApp and validated end-to-end — google-oauth2 linked identity confirmed in user store.

    // 08-google-cloud-credentials expand
    Google Cloud OAuth2 credentials configured
    // 09-google-social-connection expand
    Google social connection enabled in Auth0
    // 10a-google-login-test expand
    Google social login flow — OAuth2 handshake initiated
    // 10b-google-login-test expand
    Google login validated — google-oauth2 linked identity confirmed
  • 04

    Validate OAuth2 Token + API Protection

    Client credentials flow executed in Postman against the Auth0 token endpoint. JWT decoded at jwt.io — claims confirmed:

    ClaimValue
    issAuth0 tenant URL
    audhttps://api.idsentinel.com
    scoperead:data
    expToken expiry timestamp

    Bearer token passed to protected endpoint — "authenticated": true confirmed. Request without token returned 401 Unauthorized.

    // 11-postman-token-request expand
    Client credentials token request in Postman
    // 12-postman-token-response expand
    Access token returned — scoped to read:data
    // 13-jwt-decoded expand
    JWT decoded at jwt.io — all claims confirmed
    // 14-api-call-bearer-token expand
    Protected API — authenticated: true with Bearer token, 401 without
  • 05

    Enable Email OTP MFA

    Email OTP factor enabled under Security → Multifactor Auth. MFA policy set to Always — all customers prompted for email OTP on every sign-in.

    // 15-mfa-email-otp expand
    Email OTP MFA enabled — policy set to Always
  • 06

    Python Token Validation Script

    Get-Auth0TokenReport.py executed against the issued access token. Script decodes JWT payload without signature verification and outputs all claims with field-level validation status — producing an audit-ready token inspection report.

    // 16-python-token-validation expand
    Python script — JWT claims decoded and validated

Outcome

Auth0 tenant fully isolated from corporate Entra ID — zero cross-tenant identity exposure
Universal Login with custom IDSentinel branding — consistent customer-facing experience
Google social federation validated — google-oauth2 linked identity confirmed in user store
OAuth2 client credentials flow validated — scoped JWT issued with correct audience and scope claims
401 Unauthorized confirmed on unauthenticated API requests — Bearer enforcement active
Email OTP MFA enforced on all customer sign-ins via Always policy

Platform Summary

ComponentConfigurationStatus
Auth0 TenantIsolated external CIAM directory✅ Provisioned
Web App RegistrationCallback URLs, origins configured✅ Configured
API RegistrationAudience + read:data scope defined✅ Configured
Universal LoginNew experience, custom branding applied✅ Active
Google FederationOIDC, google-oauth2 linked identity confirmed✅ Active
OAuth2 Token FlowClient credentials, scoped access token✅ Validated
API ProtectionBearer token enforcement, 401 on unauth✅ Enforced
MFAEmail OTP, Always policy✅ Active

CIAM vs. Workforce IAM

DimensionWorkforce IAM (01–07)CIAM (08)
Identity populationEmployees and contractorsExternal customers
DirectoryCorporate Entra ID tenantDedicated Auth0 tenant
RegistrationIT-provisioned accountsSelf-service sign-up
AuthenticationCA policies, PIM, MFA enforcedUniversal Login, social login, OTP
Scale model~1,000 employeesDesigned for millions of customers
UX prioritySecurity-firstFrictionless customer experience

Files