Auth0 OpenID Setup

This guide walks through a basic setup allowing Auth0 users to authenticate with a Kasm deployment.

Reference Docs:

Creating an Auth0 OAuth App

  1. Login to the Auth0 portal as an Admin.

  2. Expand Authentication and select Applications.

  3. Click Create Application.


Create Application

  1. Give the app a name (e.g Kasm OIDC), select Regular Web Application and click Create.


Create Web Application

  1. Select the Settings Tab.

  2. Take note of the Client ID and Client Secret values. These will be used in later steps.


Create ID and Secret

  1. In the Application URIs section enter https://<kasm-deployment>/api/oidc_callback. For example (


Callback URI

  1. Scroll down and expand Advanced Settings, the select Endpoints. Take note of the OAuth Authorization URL, OAuth Token URL, and OAuth User Info URL. These will be used in later steps.


OAuth Endpoints

  1. Click Save Changes.

(Optional) Configuring Auth0 to forward User Roles

In many cases it may be desireable to place SSO users in specific Kasm Groups based on their Roles as defined within Auth0. The following steps may be used to configure Auth0 to provide Kasm with the User’s Role during authentication.

  1. From the Auth0 admin console expand Actions, select Library and click Build Custom.


Build Custom Action

  1. In the Create Action popup, enter a name (e.g Add User Roles) , select Login / Post Login as the Trigger and the recommended runtime (e.g Node 18 Recommended).


Create Action

  1. Click Create.

  2. Replace the contents of editor with the following code snippet and click Deploy .

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'auth0';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);

Deploy Action


This example is pulled from the Auth0 Documentation:

The namespace can be changed as desired. Per the example auth0 is used which will result in the Groups Attrbute setting in the Kasm OIDC config being auth0/roles.

  1. In the main menu, expand Actions, select Flows, then click Login.


Login Flow

  1. In the Add Action section, select Custom. The recently created action (e.g Add User Roles) should be visible.


Login Flow

  1. Drag the action into the workflow and click Apply.


Login Flow

Kasm OpenID Config

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Authentication -> OpenID -> Add Config.

  3. Update the form with the following entries, using the Client ID and Client Secret gathered in the previous section.



Display Name

Continue with Auth0

Logo URL



Auto Login






Client ID

<Client ID from Auth0>

Client Secret

<Client Secret from Auth0>

Authorization URL

<OAuth Authorization URL from the Auth0 configuration>

Token URL

<OAuth Token URL from the Auth0 configuration>

User Info URL

<OAuth User Info URL from the Auth0 configuration>


openid email profile

Username Attribute


Groups Attribute





Kasm OIDC Configurations

  1. Click Save to save the changes.

Auth0 Login Test

  1. Logout of the Kasm to display the login screen. The OpenID configuration should be shown.


Login Screen

  1. Click Continue with Auth0

  2. The user is redirected to Auth0 for auth.


Auth0 Auth

  1. Upon completion, the user is logged into the Kasm app.

Group Mapping

In a previous section Auth0 was configured to send a list of Roles the user belongs to during the OpenID auth workflow. We can now configure Kasm Groups with the Role associations so that users are automatically added/removed based on their Auth0 Membership.

  1. Log into the Kasm UI as an administrator.

  2. Select Access Management -> Groups -> Add Group.

  3. Name the Group Premium, and define a priority.

  4. Click Save to create the group.


Group Configuration

  1. On the groups screen, using the arrow menu select Edit on the group that was just created.

  2. Navigate to the SSO Group Mappings tab and select Add SSO Mapping.

  3. Select the OpenID IDP that was created above OpenID - Continue with Auth0 for the SSO Provider.

  4. Then enter the Auth0 group name desired in the Group Attributes field, e.g Kasm Premium.

  5. Click Submit


Add SSO Group Mapping

The Example Role as defined in Auth0.


Auth0 Role SSO

  1. Logout, then login via the Auth0 Open ID login with a user that is a member of the specified group.

  2. View the users group membership to ensure they are added to the newly created group.