Auth0 User Registration and Role Management Setup Guide

Overview

Your Auth0 integration now includes comprehensive role-based access control with a "pending" state for new users. Here's what's been implemented:

🔒 Security Model

User Registration Flow

Anyone can register via Auth0 (Google, email/password, etc.)
New users get "pending" role automatically
Pending users cannot access protected content
Admin must approve users and assign proper roles
Only approved users can access medical data and search

Role Hierarchy

pending - New users, no access to protected content
patient - Basic access to medical data
clinician - Enhanced access to technical documentation
admin - Full access + user management capabilities

🚀 Setup Steps

1. Environment Configuration

Create a .env file (copy from .env.example):

# Auth0 Configuration
AUTH0_DOMAIN=auth.jmdaling.co.za
AUTH0_API_AUDIENCE=https://remission-api

# Auth0 Management API (for user management)
AUTH0_MANAGEMENT_CLIENT_ID=your_m2m_client_id
AUTH0_MANAGEMENT_CLIENT_SECRET=your_m2m_client_secret

2. Auth0 Dashboard Setup

A. API Configuration

Go to Auth0 Dashboard > Applications > APIs
Create/update your API:
Name: Remission Health API
Identifier: https://remission-api
Signing Algorithm: RS256

B. Machine-to-Machine App (for Management API)

Go to Applications > Create Application
Choose Machine to Machine
Name: Remission User Management
Authorize for: Auth0 Management API
Required Scopes:
read:users
update:users
read:roles
update:user_roles
Copy Client ID and Secret to your .env file

C. Default Role Action

Go to Auth0 Dashboard > Actions > Flows
Select Login flow
Create new Action: "Assign Default Pending Role"

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://remission.health/roles';

  // Check if user has any roles assigned
  const userRoles = event.user.app_metadata?.roles || [];

  // If no roles, assign 'pending'
  if (userRoles.length === 0) {
    api.user.setAppMetadata('roles', ['pending']);
  }

  // Add roles to token
  api.idToken.setCustomClaim(namespace, userRoles);
  api.accessToken.setCustomClaim(namespace, userRoles);
};

Deploy the Action and add to Login flow

3. Frontend Configuration

Copy the Auth0 config template:

cp docs/javascripts/auth0-config.template.js docs/javascripts/auth0-config.js

Edit docs/javascripts/auth0-config.js with your credentials:

window.auth0Config = {
    domain: 'your-tenant.us.auth0.com',
    clientId: 'your_spa_client_id',
    audience: 'https://remission-api',
    redirectUri: window.location.origin,
    scope: 'openid profile email'
};

4. Build and Deploy

# Rebuild with new dependencies
docker compose down
docker compose up -d --build

👑 Admin Interface Usage

Accessing Admin Panel

Log in with admin role
Go to /admin page
View dashboard with user statistics

Managing Users

View Pending Approvals

See all users waiting for approval
Quick approve individual users
Bulk approve all as "patient" role

User Management

Search users by email
Filter by role
Change user roles
Revoke access (return to pending)

Available Actions

Approve as Patient - Basic medical data access
Approve as Clinician - Enhanced documentation access
Promote to Admin - Full system access
Revoke Access - Return to pending status

🔧 API Endpoints

Protected Endpoints (Require Authentication)

POST /search - Vector search (approved users only)
POST /ask - RAG question answering (approved users only)

Admin Endpoints (Admin Role Required)

GET /api/admin/stats - User statistics
GET /api/admin/users/pending - Pending users list
GET /api/admin/users - All users (paginated)
POST /api/admin/users/approve - Approve single user
POST /api/admin/users/bulk-approve - Approve multiple users
PUT /api/admin/users/{id}/role - Change user role
DELETE /api/admin/users/{id} - Revoke user access

🛡️ Security Features

JWT Verification

RSA256 signature verification
Audience validation (https://remission-api)
Issuer validation (https://your-domain.auth0.com/)
Token expiration handling

Role-Based Access

require_approved_user() - Blocks pending users
require_role("admin") - Requires specific role
require_any_role(["clinician", "admin"]) - Multiple role options

Data Isolation

Multi-tenant support via get_tenant_id()
Each user can only access their own data
Admin can manage all users

🧪 Testing

Test User Registration

Open site in incognito window
Register new account
Verify you see "pending approval" message
Log in as admin, approve the user
Test approved user can access protected content

Test Role Changes

Create test users with different roles
Verify access levels for each role
Test role changes via admin interface
Confirm immediate effect (may need re-login)

🚨 Troubleshooting

Common Issues

"Account pending approval" message for admin - Check Action is deployed and in Login flow - Verify admin user has roles in app_metadata - Check custom claims namespace matches

Admin interface shows "Insufficient permissions" - Ensure user has admin role in Auth0 - Check roles are added to JWT token - Verify custom claims Action is working

API calls fail with 401 - Check environment variables are set - Verify Auth0 domain and audience match - Confirm JWTs include required claims

Debug Commands

# Check environment variables
docker exec remission env | grep AUTH0

# View user token in browser console
console.log(localStorage.getItem('access_token'))

# Test Management API connection
docker exec remission python -c "
from src.auth.auth0_management import Auth0ManagementAPI
api = Auth0ManagementAPI()
print(api.get_role_statistics())
"

📝 Next Steps

Set up email notifications for new user registrations
Add user onboarding flow with role-specific welcome messages
Implement user self-service for basic profile management
Add audit logging for admin actions
Configure production domains and CORS settings

This guide covers the complete Auth0 setup for secure, role-based access to your health platform.