Secure an app with Auth0

Route plugins: Authentication

Download Otoroshi

If you already have an up and running otoroshi instance, you can skip the following instructions

Set up an Otoroshi

Let’s start by downloading the latest Otoroshi.

curl -L -o otoroshi.jar ''

then you can run start Otoroshi :

java -Dotoroshi.adminPassword=password -jar otoroshi.jar 

Now you can log into Otoroshi at with

Create a new route, exposed on, which will forward all requests to the mirror Each call to this service will returned the body and the headers received by the mirror.

curl -X POST '' \
-H "Content-type: application/json" \
-u admin-api-apikey-id:admin-api-apikey-secret \
-d @- <<'EOF'
  "name": "my-service",
  "frontend": {
    "domains": [""]
  "backend": {
    "targets": [
        "hostname": "",
        "port": 443,
        "tls": true

Configure an Auth0 client

The first step of this tutorial is to setup an Auth0 application with the information of the instance of our Otoroshi.

Navigate to (create an account if it’s not already done).

Let’s create an application when clicking on the Applications button on the sidebar. Then click on the Create application button on the top right.

  1. Choose Regular Web Applications as Application type
  2. Then set for example otoroshi-client as Name, and confirm the creation
  3. Jump to the Settings tab
  4. Scroll to the Application URLs section and add the following url as Allowed Callback URLs :
  5. Set as Allowed Logout URLs
  6. Set as Allowed Web Origins
  7. Save changes at the bottom of the page.

Once done, we have a full setup, with a client ID and secret at the top of the page, which authorizes our Otoroshi and redirects the user to the callback url when they log into Auth0.

Create an Auth0 provider module

Let’s back to Otoroshi to create an authentication module with OAuth2 / OIDC provider as type.

  1. Go ahead, and navigate to
  2. Click on the cog icon on the top right
  3. Then Authentication configs button
  4. And add a new configuration when clicking on the Add item button
  5. Select the OAuth provider in the type selector field
  6. Then click on Get from OIDC config and paste https://<tenant-name>.<region> Replace the tenant name by the name of your tenant (displayed on the left top of auth0 page), and the region of the tenant (eu in my case).

Once done, set the Client ID and the Client secret from your Auth0 application. End the configuration with as Callback URL.

At the bottom of the page, disable the secure button (because we’re using http and this configuration avoid to include cookie in an HTTP Request without secure channel, typically HTTPs).

Connect to Otoroshi with Auth0 authentication

To secure Otoroshi with your Auth0 configuration, we have to register an Authentication configuration as a BackOffice Auth. configuration.

  1. Navigate to the danger zone (when clicking on the cog on the top right and selecting Danger zone)
  2. Scroll to the BackOffice auth. settings
  3. Select your last Authentication configuration (created in the previous section)
  4. Save the global configuration with the button on the top right

Testing your configuration

  1. Disconnect from your instance
  2. Then click on the Login using third-party button (or navigate to
  3. Click on Login using Third-party button
  4. If all is configured, Otoroshi will redirect you to the auth0 server login page
  5. Set your account credentials
  6. Good works! You’re connected to Otoroshi with an Auth0 module.

Secure an app with Auth0 authentication

With the previous configuration, you can secure any of Otoroshi services with it.

The first step is to apply a little change on the previous configuration.

  1. Navigate to
  2. Create a new Authentication module configuration with the same values.
  3. Replace the Callback URL field to (we changed this value because the redirection of a connected user by a third-party server is covered by another route by Otoroshi).
  4. Disable the secure button (because we’re using http and this configuration avoid to include cookie in an HTTP Request without secure channel, typically HTTPs)

Note : an Otoroshi service is called a private app when it is protected by an Authentication module.

We can set the Authentication module on your route.

  1. Navigate to any created route
  2. Search in the list of plugins the plugin named Authentication
  3. Select your Authentication config inside the list
  4. Don’t forget to save your configuration.
  5. Now you can try to call your route and see the Auth0 login page appears.