Skip to main content

Auth0 Syndicated Authentication

When OPBX runs in SaaS mode, users can authenticate through Auth0 social identity providers. Auth0 syndicated authentication works alongside the existing email/password flow: existing password users can keep using their password, and they can optionally link one or more social providers to the same account.

Feature Overview

Use this module for:

  • Signing up new organizations with a social account.
  • Logging in with a linked social provider.
  • Linking and unlinking social identities from a user's profile.
  • Inviting new team members by email and having them accept through Auth0.
  • Letting new users request membership in an existing organization.

The feature is available only when OPBX_SAAS_ENABLED=true and the Auth0 tenant is configured. See Auth0 Setup for configuration instructions.

User Flows

New User — Create an Organization

  1. Go to /ui/register.
  2. Click the social provider you want to use.
  3. Complete authentication with Auth0.
  4. OPBX creates a new organization and assigns the Owner role.
  5. The user is logged in and redirected to the Dashboard.

This is the social equivalent of the local registration flow described in First Login.

New User — Request to Join an Existing Organization

  1. Go to /ui/register and click a social provider.
  2. After Auth0 returns to OPBX, the onboarding page appears.
  3. Choose Request to join an organization.
  4. Enter the target organization's slug.
  5. Submit the request.

An Owner or PBX Admin of the target organization reviews pending requests. Once approved, the user becomes an active PBX User in that organization.

Existing User — Social Login

  1. Go to /ui/login.
  2. Click the social provider that was previously linked.
  3. Complete authentication with Auth0.
  4. OPBX matches the provider identity and issues an access token.
  5. The user is redirected to the Dashboard.
  1. Log in with the existing email and password.
  2. Go to Profile settings and open Linked Accounts.
  3. Click Connect next to the desired provider.
  4. Authenticate with Auth0 using the same verified email address.
  5. The provider is linked. From now on, login can use either the password or the linked provider.
  1. Go to Profile > Linked Accounts.
  2. Click Disconnect next to the provider.
  3. The provider identity is removed, but the OPBX account and password remain active.

Accept an Invitation

Owners and PBX Admins can invite users by email from the User Management screen:

  1. The administrator sends an invitation to an email address.
  2. OPBX creates a pending user and sends a magic-link email.
  3. The invitee opens the link and authenticates with Auth0 using the invited email.
  4. OPBX activates the pending user as a PBX User and issues a session token.

If the social provider does not return a verified email, or if the email does not match the invitation, the acceptance fails and the user is returned to the login page.

Organization Join Requests

Join requests are created when a new user chooses to join an existing organization instead of creating one.

Submitting a Request

New users submit a request from the Auth0 onboarding page. The request records:

  • The target organization slug.
  • The user's email, name, and social provider details.

Managing Requests

Owners and PBX Admins can review pending requests and take one of the following actions:

ActionResult
ApproveCreates an active PBX User, links the social identity, and notifies the requester.
RejectMarks the request as rejected; the requester must create an organization or request to join a different one.

Requests that are not pending cannot be approved again.

Permissions

ActionOwnerPBX AdminPBX UserReporter
Log in with a social providerYesYesYesYes
Link/unlink own social identityYesYesYesYes
Invite users by emailYesYesNoNo
Approve or reject join requestsYesYesNoNo
User Invitations

Invited users are always created with the PBX User role. Only Owners and PBX Admins can send invitations.

Error Handling

Common Auth0-related errors and how to resolve them:

ErrorCauseResolution
AUTH0_NOT_CONFIGUREDSaaS mode or Auth0 variables are missing.Verify .env and run php artisan config:clear.
AUTH0_INVALID_STATEThe OAuth state expired or the callback was reused.Try logging in again.
AUTH0_EMAIL_UNVERIFIEDThe social provider did not return a verified email.Verify the email with the provider.
AUTH0_ACCOUNT_EXISTSThe email already has a password account.Log in with the password, then link the provider.
AUTH0_LINK_EMAIL_MISMATCHThe Auth0 email does not match the logged-in account.Use the same email or link a different provider.
INVITE_EXPIRED_OR_INVALIDThe invitation token is missing, expired, or already used.Ask an administrator for a new invitation.
JOIN_REQUEST_PENDINGThe join request is waiting for approval.Wait for an Owner or PBX Admin to approve it.
MethodEndpointPurpose
POST/v1/auth/auth0/redirectStart the Auth0 authorization flow
GET/v1/auth/auth0/callbackComplete the flow and exchange the code
POST/v1/auth/auth0/linkStart account linking
POST/v1/auth/auth0/unlinkUnlink a provider identity
POST/v1/users/inviteInvite a user by email
GET/v1/users/invite/validateValidate an invitation token
POST/v1/users/invite/acceptAccept an invitation and get the Auth0 redirect URL
GET/v1/organizations/join-requestsList pending join requests
POST/v1/organizations/join-requestsSubmit a join request
POST/v1/organizations/join-requests/{id}/approveApprove a join request
POST/v1/organizations/join-requests/{id}/rejectReject a join request

See the OPBX REST API reference for full request/response schemas.

Key Data Fields

user_social_identities Table

ColumnTypeNotes
idbigintPrimary key
user_idFKLinked OPBX user
providerenumgoogle, facebook, microsoft, github, x
provider_subjectstringUnique identifier from the social provider
provider_emailstringEmail returned by the provider at link time
provider_datajsonAdditional provider metadata

organization_join_requests Table

ColumnTypeNotes
idbigintPrimary key
organization_idFKTarget organization
emailstringRequester's email
namestringRequester's display name
providerenumSocial provider used
provider_subjectstringSocial provider subject
statusenumpending, approved, rejected
roleenumDefaults to pbx_user
  • User Management — Create and manage users, roles, and invitations
  • Settings — Configure organization-wide settings and linked accounts
  • Auth0 Setup — Auth0 tenant and environment configuration