Enterprise connections using OpenID Connect or Okta Workforce as the can support Proof Key for Code Exchange (PKCE), as well as attribute and token mapping.

Configure PKCE for OIDC connections

Connect and Okta Workforce connections are automatically configured to support Proof Key for Code Exchange (PKCE). If your OIDC identity provider (IdP) supports PKCE through OIDC Discovery metadata, Auth0 will use the strongest algorithm available by default. For more information on OIDC Discovery metadata, review OpenID’s documentation.

View PKCE configuration for a connection

You can view the PKCE configuration for a specific connection through the :
  1. Navigate to Authentication > Enterprise and choose your OIDC provider (either OpenID Connect or Okta Workforce).
  2. Select the Settings tab.
  3. In the General section, locate the Connection Profile field.
You can manage the PKCE configuration for a connection through the Auth0 Dashboard:
  1. Navigate to Dashboard > Authenticate >Enterprise and choose your OIDC provider (either OpenID Connect or Okta Workforce).
  2. Select the Settings tab and locate the Connection Profile field.
  3. Set the pkce property to one of the supported values listed below.
  4. Select Save.

Supported PKCE configuration values

Auth0 supports the following values for PKCE configuration:
ValueDescription
autoDefault value. Uses the strongest algorithm available.
s256Uses the SHA-256 algorithm. Auth0 does not currently support RS512 tokens.
plainUses plaintext as described in the PKCE specification.
disabledDisables support for PKCE.
Setting the pkce property to a value other than automay prevent a connection from working properly if the selected value is not supported by the identity provider.Do not set the property to disabled except when troubleshooting authentication issues.
Azure AD LimitationIf you are using an OpenID Connect connection for Azure AD, you must set pkce to s256 as the connection’s metadata does not expose the hashing algorithm used. Currently, the Azure AD Enterprise connection does not support PKCE.

Map Claims for OIDC connections

OpenID Connect and Okta Workforce connections can automatically map claims received from the identity provider (IdP). You can configure this mapping through a library template provided by Auth0 or by entering your own template directly.
Mapped claims are not automatically added to an Auth0 ID token. To add claims to an ID token, see Create custom claims.

Mapping template properties

Mapping templates support the options.attribute_map object properties listed below. Templates must be in JSON format with valid key/value pairs.
PropertyRequired?Description
mapping_modeRequiredMethod used to map incoming claims.
userinfo_scopeOptionalScopes to send to the IdP’s Userinfo endpoint.
attributesRequiredObject containing mapping details for incoming claims.

Mapping mode

The mapping_mode property defines the method used to map incoming claims from the IdP to the Auth0 user profile. mapping_mode supports the following values:
ValueDescription
use_mapUses the provided template to map the data.
bind_allCopies all data elements provided by the IdP.

Restricted claims

Some claims are reserved for use by Auth0; such claims cannot be used as attribute keys for user profiles. If you set the mapping_mode property to bind_all, your IdP may attempt to map values to one or more of these restricted claims. While this does not prevent users from authenticating on your connection, values associated with restricted claims are not mapped to the Auth0 user profile. If you set mapping_mode to use_map, you can map the incoming restricted claim to a valid one: 
"attribute_map": {
        "mapping_mode": "use_map",
        "attributes": {
            "amr": "{context.tokenset.amr}" // `amr` is a restricted claim and will not be mapped
            "federated_amr": "{context.tokenset.amr}" // `federated_amr` is not a restricted claim and will be mapped
        }
    }
For a complete list of restricted claims, review Create Custom Claims.

UserInfo scope

The userinfo_scope property defines the scopes that Auth0 sends to the IdP’s UserInfo endpoint when requested. For example, if you want to send the standard OIDC scopes and the groups scope when requesting the UserInfo endpoint, you can do so as follows: 
"attribute_map": {
    . . .
    "mapping_mode": "bind_all",
    "userinfo_scope": "openid email profile groups",
    . . .
}

Attributes

The attributes property is an object containing mapping information that allows Auth0 to interpret incoming claims from the IdP. Mapping information must be provided as key/value pairs. The key to the left corresponds to an Auth0 user profile attribute. The value to the right represents the incoming claim from the IdP, which can be expressed as a literal value, a dynamic context object, or a combination of both. Dynamic context objects are template expressions written in the familiar ${variable} format. 
"attribute_map": {
    . . .
    "attributes": {
        "name": "${context.tokenset.name}",
        "email": "${context.tokenset.email}",
        "username": "${context.tokenset.preferred_username}"
    }
}

Literal values

A literal value is a static value mapped to a specific profile attribute for all users on your connection. For example, if you are configuring a SalesForce OIDC connection and want to assign the same SFDC Community ID to all user profiles, you can do so as follows: 
"attribute_map": {
    . . .
    "attributes": {

        "sf_community_id": "3423409219032-32"
    }
}

Context object

You can map dynamic values to user profile attributes by using the context object. This allows you to store unique values for individual profiles, as opposed to literal values that are static across all profiles. The context object supports the following properties:
PropertyDescription
context.connectionContains the following properties: - id: The connection’s unique identifier (for example, con_4423423423432423). - strategy: The connection’s strategy (for example, oidc).
context.tokensetContains the following properties: - access_token: The entire validated access token sent by the IdP. - <claim name>: Any ID token claim sent by the IdP.
context.userinfoContains the following properties: - <claim name>: Any available claim provided by the IdP’s UserInfo endpoint.

Examples

Simple user claim mapping

This example demonstrates how to map common user claims to the Auth0 user profile with data from the : 
"attribute_map": {
    . . .
    "attributes": {
        "name": "${context.tokenset.name}",
        "email": "${context.tokenset.email}",
        "username": "${context.tokenset.preferred_username}"
    }
}

Group claim mapping

This example shows how to map groups to the Auth0 user profile from the incoming IdP: 
"attribute_map": {
    . . .
    "attributes": {
        "federated_groups": "${context.userinfo.groups}",
        "federated_locale": "${context.userinfo.locale}",
        "federated_zoneinfo": "${context.userinfo.zoneinfo}"
    }
}

Combining literal values and context objects

This example demonstrates how to combine literal values and dynamic template expressions to map a complex value to an attribute on the Auth0 user profile: 
"attribute_map":{
    . . .
    "attributes": {
        "alt_id": "user_email|${context.tokenset.email}",
        . . .
    }
}