OIDC + Auth0

09-08-2021 10:33 AM
Labels (1)
New Contributor

I set up the OIDC security component in our enterprise portal with Auth0. Followed all the steps, but I'm getting a strange error:

The username you entered is not a member of this organization. Please request an invitation from its administrator.

I dug into the OIDC specs here, but I'm not seeing "username" as part of the OIDC spec; the "preferred_username" is not guaranteed to be unique. I validated that the user has access to all organizations within our Esri. I ensured the user is successfully authenticating within Auth0. The "Send access token in header" is active.

The email of the user is something like: test.user@domain.com

I've tried usernames of:





For more investigation, I spun up an AWS Cognito pool and tied the Esri OIDC to that, and got it working fine. However, the usernames as presented in AWS Cognito are GUIDs, and that is the _only_ username that Esri will recognize, which I believe is the "user_id" in the token coming from the allowed scopes of: "openid email proifle." The "user_id" coming from Auth0 is "auth0|{guid}" and the pipe is a prohibited character.


How is the unique OIDC Esri implementation mapping "username" from the Auth0 token when "username" isn't part of the OIDC spec?

0 Kudos
0 Replies