Auth0 OIDC Setup
Configure Dagu with Auth0 as OIDC provider.
Prerequisites
- Auth0 account (free tier works)
- Access to Auth0 Dashboard
Setup Steps
1. Create Application in Auth0
- Log in to Auth0 Dashboard
- Navigate to Applications > Applications
- Click "Create Application"
- Choose:
- Name:
Dagu(or your preference) - Application Type:
Regular Web Applications
- Name:
- Click Create
2. Configure Application
- Go to Settings tab
- Note down:
- Domain:
your-tenant.auth0.com - Client ID: (shown in Basic Information)
- Client Secret: (shown in Basic Information)
- Domain:
- Configure Application URIs:
- Allowed Callback URLs:For production add:
http://localhost:8080/oidc-callbackhttps://dagu.example.com/oidc-callback - Allowed Logout URLs (optional):
http://localhost:8080 https://dagu.example.com
- Allowed Callback URLs:
- Save Changes
3. Configure Dagu
YAML Configuration
yaml
# ~/.config/dagu/config.yaml
auth:
oidc:
clientId: "your-auth0-client-id"
clientSecret: "your-auth0-client-secret"
clientUrl: "http://localhost:8080"
issuer: "https://your-tenant.auth0.com/"
scopes:
- "openid"
- "profile"
- "email"Environment Variables
bash
export DAGU_AUTH_OIDC_CLIENT_ID="your-auth0-client-id"
export DAGU_AUTH_OIDC_CLIENT_SECRET="your-auth0-client-secret"
export DAGU_AUTH_OIDC_CLIENT_URL="http://localhost:8080"
export DAGU_AUTH_OIDC_ISSUER="https://your-tenant.auth0.com/"
export DAGU_AUTH_OIDC_SCOPES="openid,profile,email"
dagu start-allUser Management
Create Test Users
- Go to User Management > Users
- Click "Create User"
- Choose connection:
Username-Password-Authentication - Enter email and password
- Click Create
Email Whitelist
Restrict access to specific users:
yaml
auth:
oidc:
# ... auth0 config ...
whitelist:
- "[email protected]"
- "[email protected]"Advanced Configuration
Custom Domain
If using Auth0 custom domain:
yaml
auth:
oidc:
issuer: "https://auth.yourdomain.com/"
# ... rest of configAdditional Scopes
Standard OIDC scopes used by Dagu:
yaml
auth:
oidc:
scopes:
- "openid"
- "profile"
- "email"Note: Dagu does not support refresh tokens. Sessions expire after 24 hours.
Organizations
For Auth0 Organizations:
- Enable Organizations in Auth0
- Create organization
- Add users to organization
- Update callback URL to include organization:
http://localhost:8080/oidc-callback?organization=ORG_ID
Social Connections
Enable Social Login
- Go to Authentication > Social
- Enable desired providers (Google, GitHub, etc.)
- Configure each provider with their credentials
- No changes needed in Dagu config
Users can now login with social accounts through Auth0.
Production Configuration
Security Settings
In Auth0 Dashboard > Settings > Advanced:
- Enable "OIDC Conformant"
- Set appropriate token expiration
- Configure refresh token rotation
Production Dagu config:
yamlauth: oidc: clientId: "production-client-id" clientSecret: "production-secret" clientUrl: "https://dagu.example.com" issuer: "https://your-tenant.auth0.com/" # Enable HTTPS tls: certFile: "/etc/ssl/dagu.crt" keyFile: "/etc/ssl/dagu.key"
Rate Limits
Auth0 has rate limits:
- Free tier: 1,000 logins/month
- Paid tiers: Higher limits
Monitor usage in Auth0 Dashboard > Monitoring.
Testing
Start Dagu:
bashdagu start-allAccess http://localhost:8080
You'll be redirected to Auth0 login
Login with test user or social account
After successful login, redirected back to Dagu
Troubleshooting URLs
- Auth0 Dashboard: https://manage.auth0.com/
- OpenID Configuration: https://your-tenant.auth0.com/.well-known/openid-configuration
- Test connection: https://your-tenant.auth0.com/authorize?client_id=YOUR_CLIENT_ID
Notes
- Issuer URL must include trailing slash
- Auth0 supports standard OIDC discovery
- Free tier sufficient for small teams
- Session duration controlled by Auth0 token settings
- Auth0 Universal Login provides customizable UI