When integrating authentication providers with the Magnolia CMS backend (AdminCentral) there is usually the need to apply different roles to different types of users after login so that Magnolia is able to apply permissions correctly to the type of user working with AdminCentral. If users are managed outside of Magnolia, you must configure the external system to provide role/group information together with user data. The role/group information is typically delivered within the payload of the JWT token used within the OpenID Connect authentication flow.

For Keycloak, you can find the steps to enable role information in the article Integrate Magnolia AdminCentral with Keycloak using OpenID Connect (search for “usergroups”). In this article, the cloud based commercial authentication solutions Okta and Auth0 are covered.

Hint: Both groups and roles can be used to achieve setting correct permissions on the Magnolia side. It depends on the IAM software used which of both terms is more relevant in your case. The groups/roles have to exist with the exact same name in the Magnolia security configuration. If a group/role name is delivered from an authentication provider in the token payload, but it does not exist in Magnolia, it is simply ignored.

Okta configuration

Prerequisites: Don’t forget that your test user has to have at least one group assigned and that the user also has to be assigned to your application!

You can configure group delivery together with the token by using an interface, but you have to switch to the classic UI version:

Go to Applications, select your application, select the Sign On tab and adjust the settings in the OpenID Connect ID Token box:

Important: You also need to add groups to the scope when making the call to Okta!

As a result, an array with groups should be part of your JWT token delivered after successful authentication.

  content={"sub":"00u7603bdpK9BL2Dn356","name":"Hugo Heiermann","locale":"en-US","email":"hugo.heiermann@example.org","preferred_username":"hugo.heiermann@example.org","given_name":"Hugo","family_name":"Heiermann","zoneinfo":"America/Los_Angeles","updated_at":1562455492,"email_verified":true,
  "groups":["Everyone","travel-demo-editors"]}

Resources

Auth0 configuration

When using Auth0, there is no interface option that you can use to add role information to your JWT token. You need to add a rule (a script based on Node.js).

Add a rule to your Auth Pipeline:

Click on the CREATE RULE button, and select the Empty rule template. Then you can use the code found here: Add user roles to tokens.

Important: You must define the namespace constant in a valid URL format, so you cannot just use ‘roles’ or ‘groups’ as key. This would produce the same results as when using other authentication providers (and would avoid custom configuration in the Magnolia SSO Module). But if you just use ‘roles’ for namespace, the rule won’t work as expected. On the other hand, you are free to choose a custom value for the namespace, like shown below:

  const namespace = 'https://magnolia-sso-roles.ch';

You can use the Auth0 interface to create and assign roles to a user. Enable the rule and test if you receive the roles assigned to your test user.

  content={"sub":"auth0|5db72e313f9ab10f19fe4415","nickname":"walburga.duckstein","name":"walburga.duckstein@example.org","picture":"","updated_at":"2020-12-21T13:11:21.104Z","email":"walburga.duckstein@example.org","email_verified":true,
  "https://magnolia-sso-roles.ch":["role-number-one","another-role","travel-demo-editors"]}

For Auth0, you don’t need to provide a specific scope like in the Okta case.

More rule examples

In case you want to have more code examples for Auth0 rules, you can have a look at Auth0 rules on GitHub.

Conclusion

For both Okta and Auth0 it’s possible to deliver role information in the JWT token data to Magnolia if you know how to do it (even if in both cases you need to search for appropriate documentation). Okta and Auth0 can be used for direct AdminCentral access with individual user permissions.