Liferay Auth

flashyjen · October 2, 2025, 11:36pm

Reading about Liferay integration with Auth0 here.

https://learn.liferay.com/w/dxp/security-and-administration/security/configuring-sso/configuring-liferay-authentication-with-auth0-using-openid-connect

Based on the documentation, after successful authentication on Auth0, request gets redirected to Liferay callback URI with an auth token. My question is, how does Liferay determine that ‘auth token‘ is for a successfully authenticated user? can someone generate an ‘auth token’ on the fly to spoof a user?

The reason I’m asking that question is because I wanted to find out, if my Liferay App need additional call to Auth0 with this ‘auth token’ to ensure it is valid?

olafk · October 3, 2025, 8:21am

Should be well documented in OpenID Connect.

My assumption is that an additional payload (e.g. parameters, json, xml etc) will be part of the redirection, and very likely cryptographically signed.

Zsigmond_Rab · October 3, 2025, 8:53am

Everything happens according to the parts for Relying Parties detailed in the Final: OpenID Connect Core 1.0 incorporating errata set 2 specification.

Topic	Replies	Views
OAuth2 Bearer Token Flow: Liferay Not Recognizing OAuth2 Incoming Assertion Configuration from Instance Settings Bug Reports	23	March 18, 2026
OIDC login button for utility pages Product Ideas	76	January 5, 2026
Permit the use of "none" in supported token endpoint auth methods Product Ideas product	28	December 2, 2025
External SSO support for Analytics Cloud Product Ideas	11	March 25, 2026
About the Integration category Integration	31	August 21, 2025

Liferay Auth

Related topics