--- title: Authenticating in Auth0 with PingOne Recognize description: Integrate PingOne Recognize authentication with Auth0. component: recognize page_id: recognize:mobile-sdk:mobile-sdk-authenticating-in-auth0 canonical_url: https://docs.pingidentity.com/recognize/mobile-sdk/mobile-sdk-authenticating-in-auth0.html llms_txt: https://docs.pingidentity.com/recognize/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md section_ids: configure-enterprise-oidc-connection-in-auth0: Configure Enterprise OIDC Connection in Auth0 step-1-create-a-connection-in-auth0: "Step 1: Create a Connection in Auth0" step-2-enable-the-connection-for-applications: "Step 2: Enable the Connection for Applications" step-3-link-pingone-recognize-accounts-to-auth0-accounts: "Step 3: Link PingOne Recognize Accounts to Auth0 Accounts" mobile-integration: Mobile Integration enrollment: Enrollment android: Android ios: iOS flutter: Flutter authentication: Authentication android-2: Android ios-2: iOS flutter-2: Flutter openid-url-configuration: OpenID URL Configuration --- # Authenticating in Auth0 with PingOne Recognize Integrating PingOne Recognize authentication with existing IAMs requires preparation on multiple parts of the customer service provider. * **Binding Auth0 identity to a PingOne Recognize ID**: This happens during PingOne Recognize enrollment. The user performs enrollment with a configuration option that accepts an `idToken` from Auth0. Retrieve this token via the standard Auth0 login flow. * **Account linking**: After `idToken` is bound to a PingOne Recognize identity, Auth0 authentication with PingOne Recognize can succeed. However, authentication can return a different `user_id` unless the Auth0 `user_id` and PingOne Recognize `user_id` are linked. Learn more in [Auth0 account linking](https://auth0.com/docs/manage-users/user-accounts/user-account-linking). ## Configure Enterprise OIDC Connection in Auth0 Create a secure connection between PingOne Recognize and Auth0 so PingOne Recognize can be used as an Identity Provider in Auth0. Before following this guide, contact the PingOne Recognize Delivery Team to obtain: * **Discovery URL**: `https://idp.keyless.io/realms/YOUR_REALM/.well-known/openid-configuration` * **Client ID**: Provided by PingOne Recognize Delivery Team. * **Client Secret**: Provided by PingOne Recognize Delivery Team. * **Scopes**: Include additional scopes you need (for example: `openid`, `profile`, `email`). ### Step 1: Create a Connection in Auth0 1. Sign in to Auth0 and open the **Dashboard**. 2. Navigate to **Authentication > Enterprise > OpenID Connect**. 3. Select **Create Connection** and set: * **Name**: For example, `PingOne Recognize-SDK-Connection`. * **Issuer URL**: The discovery URL from the Delivery Team. 4. Test the connection with **Try Connection** in the Auth0 Dashboard. ### Step 2: Enable the Connection for Applications 1. In Auth0, go to **Applications > Applications**. 2. Select your app, open the **Connections** tab, and enable the PingOne Recognize connection. After setup, pass the Auth0 connection name in the Auth0 `/authorize` endpoint used by your SDK flow. ### Step 3: Link PingOne Recognize Accounts to Auth0 Accounts This step varies by implementation. Contact PingOne Recognize Solution Engineering to choose the best approach for your setup. ## Mobile Integration Before enrollment and authentication, follow the [Getting Started with the PingOne Recognize Mobile SDK](mobile-sdk-getting-started.html). ### Enrollment To enroll a user: 1. Retrieve the `id_token` from Auth0. 2. Perform PingOne Recognize enrollment and provide `id_token` using the `withIAMToken` builder/API. #### Android ```kotlin val idToken = "..." // retrieve id_token from Auth0 val configuration = EnrollmentConfiguration.builder .withIAMToken(token = idToken) .build() Keyless.enroll( enrollmentConfiguration = configuration, onCompletion = { result -> when (result) { is Keyless.KeylessResult.Success -> Log.d("KeylessSDK", "Enroll success - userId ${result.value.keylessId}") is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK", "Enroll failure - error code ${result.error.code}") } } ) ``` #### iOS ```swift let idToken = "..." // retrieve id_token from Auth0 let configuration = Keyless.EnrollmentConfiguration.builder .withIAMToken(token: idToken) .build() Keyless.enroll(enrollmentConfiguration: configuration) { result in switch result { case .success(let success): print("Enroll success - userID \(success.keylessId)") case .failure(let failure): print("Enroll failed - error \(failure.message)") } } ``` #### Flutter ```dart import 'package:keyless_flutter_sdk/keyless.dart'; import 'package:keyless_flutter_sdk/models/configurations/enrollment_configuration.dart'; final idToken = "..."; // retrieve id_token from Auth0 final configuration = BiomEnrollConfig(iamToken: idToken); try { final result = await Keyless.instance.enroll(configuration); print("Enrollment successful. {p1recognize} ID: ${result.keylessId}"); } catch (error) { print("Enrollment failed: $error"); } ``` After enrollment succeeds, continue with authentication. ### Authentication Before authentication: * Generate a cryptographically secure UUID (`operationId`). * Retrieve `keylessId` using `getUserId()`. Then: 1. Build `login_hint = ;`. 2. Authenticate with PingOne Recognize including `operationId`. #### Android ```kotlin val operationId = UUID.randomUUID().toString() val configuration = AuthenticationConfiguration.builder .withOperationInfo(operationId = operationId) .build() Keyless.authenticate( authenticationConfiguration = configuration, onCompletion = { result -> when (result) { is Keyless.KeylessResult.Success -> { val keylessId = /* Keyless.getUserId() */ "..." val loginHint = "$operationId;$keylessId" // Start Auth0 flow with {p1recognize} connection and pass login_hint } is Keyless.KeylessResult.Failure -> { Log.d("KeylessSDK", "Authentication failure - error code ${result.error.code}") } } } ) ``` #### iOS ```swift let operationID = UUID().uuidString let configuration = Keyless.AuthenticationConfiguration.builder .withOperationInfo(id: operationID) .build() Keyless.authenticate(authenticationConfiguration: configuration) { result in switch result { case .success: let loginHint = "\(operationID);\(try! Keyless.getUserId().get())" // Start Auth0 flow with {p1recognize} connection and pass login_hint case .failure: print("Failed authentication, cannot start Auth0 login flow.") } } ``` #### Flutter ```dart import 'package:keyless_flutter_sdk/keyless.dart'; import 'package:keyless_flutter_sdk/models/configurations/authentication_configuration.dart'; import 'package:uuid/uuid.dart'; final operationId = const Uuid().v4(); final configuration = BiomAuthConfig(operationId: operationId); try { final result = await Keyless.instance.authenticate(configuration); final keylessId = await Keyless.instance.getUserId(); final loginHint = "$operationId;$keylessId"; // Start Auth0 flow with {p1recognize} connection and pass login_hint print("Authentication successful. Login hint: $loginHint"); } catch (error) { print("Authentication failed: $error"); } ``` After successful authentication, launch a custom tab to sign in with Auth0 and pass `login_hint` query parameter. ## OpenID URL Configuration After PingOne Recognize support grants dashboard access, configure OpenID URL in PingOne Recognize Dashboard: 1. Open **Access Control**. 2. Select **IDP Configuration** tab, then **OpenID Configuration**. 3. Set **OpenID Configuration URL** to a valid URL, for example: * `https://yourdomain.auth0.com/.well-known/` * `https://yourdomain.auth0.com/.well-known` * `https://yourdomain.auth0.com/` * `https://yourdomain.auth0.com` 4. Select **Save Configuration**.