Portal access — step-by-step setup for all users¶
Goal: Give every team role (trustees, mentors, students, parents, Omesh) access to both portals using email and password.
Portal 1: portal.stemracing.us (STEM Racing official)¶
No setup needed. This portal is public — no login required. Everyone can access training, rules, and competition info by visiting the URL directly.
Share these links with all team members:
| Resource | URL |
|---|---|
| Portal home | https://portal.stemracing.us |
| Rules & regulations | https://portal.stemracing.us/rules |
| Virtual training guide | https://portal.stemracing.us/virtual-training-guide |
| Acing your interviews | https://portal.stemracing.us/virtual-training/acing-your-interviews |
| Competition classes | https://www.stemracing.us/competition-classes |
Competition registration (when open for 2026–27 season): Follow steps on https://portal.stemracing.us under "Competition Information." Registration typically requires the lead adult (Alex) to register the team. Students do not need individual accounts.
Portal 2: docs.apexstem.org (internal wiki)¶
This requires setup. Currently: Cloudflare Access with One-time PIN, only ~3 trustees.
Target state: Email/password login for all roles, with access scoped by role.
Understanding your options¶
Cloudflare Access does not have a built-in email/password database. It delegates authentication to an identity provider (IdP). Your options for email/password:
| Option | What users see | Setup time | Cost | Best for |
|---|---|---|---|---|
| Auth0 (recommended for email/password) | Standard email/password login form | ~30 min | Free (up to 25,000 monthly users) | Any user with any email address |
| One-time PIN (current) | Enter email → get 6-digit code | Already done | Free | Small groups, backup method |
Recommendation: Set up Auth0 as the primary login (true email/password) with One-time PIN as backup. This gives every user a standard login form regardless of email provider.
Step 1: Create an Auth0 tenant (free) — ~10 min¶
- Go to auth0.com and sign up (or log in).
- Create a new tenant — name it something like
apexstem. - Your tenant domain will be:
apexstem.us.auth0.com(or similar).
Step 2: Create an Auth0 application — ~5 min¶
- In Auth0 dashboard → Applications → Applications → Create Application.
- Name:
Apex STEM Wiki - Type: Regular Web Application
- Click Create.
- Go to the Settings tab. Note these values (you'll need them for Cloudflare):
- Domain (e.g.,
apexstem.us.auth0.com) - Client ID
- Client Secret
- Scroll to Allowed Callback URLs and add:
https://apexstem.cloudflareaccess.com/cdn-cgi/access/callback
(Replace apexstem with your Cloudflare team name — find it at Cloudflare One → Settings → Team name.)
- Click Save Changes.
Step 3: Note the Auth0 OIDC endpoints — ~2 min¶
From your Auth0 tenant domain, the endpoints are:
| Field (in Cloudflare) | Auth0 URL |
|---|---|
| Auth URL | https://apexstem.us.auth0.com/authorize |
| Token URL | https://apexstem.us.auth0.com/oauth/token |
| Certificate URL | https://apexstem.us.auth0.com/.well-known/jwks.json |
(Replace apexstem.us.auth0.com with your actual Auth0 tenant domain.)
You can verify all endpoints at: https://apexstem.us.auth0.com/.well-known/openid-configuration
Step 4: Add Auth0 as an IdP in Cloudflare Access — ~5 min¶
- Go to one.dash.cloudflare.com.
- Sidebar → Integrations → Identity providers (or Settings → Authentication).
- Add new identity provider → OpenID Connect (the generic OIDC option).
- Fill in:
| Field | Value |
|---|---|
| Name | Auth0 Email/Password |
| App ID (Client ID) | (from Auth0 Step 2) |
| Client Secret | (from Auth0 Step 2) |
| Auth URL | https://YOUR-TENANT.us.auth0.com/authorize |
| Token URL | https://YOUR-TENANT.us.auth0.com/oauth/token |
| Certificate URL | https://YOUR-TENANT.us.auth0.com/.well-known/jwks.json |
| PKCE | Disabled |
| Email claim name | email (default) |
| Scopes | openid email profile |
- Click Save.
- Click Test — it should redirect to Auth0's login page. Sign in with the account you created Auth0 with. On success, you'll see a confirmation.
Step 5: Keep One-time PIN as backup¶
Don't remove the existing One-time PIN provider. Users will see both options on the login screen: - Auth0 (email/password) — primary - One-time PIN — backup if Auth0 has issues
Step 6: Create Access Groups (RBAC) — ~10 min¶
These groups control who can access what. Go to Access controls → Groups (or create them inline in policies).
Create the following groups based on rbac-groups.md:
| Group name | Members (emails) | Who |
|---|---|---|
apex-admin |
Alex's admin email, 1 backup admin | Technical admins |
apex-board |
Board trustee emails | Board members |
apex-mentors |
Adult mentor emails | Adult mentors / coaches |
apex-parents-ridge-racers |
Parent/guardian emails | Ridge Racers parents |
apex-students-ridge-racers |
Student emails (Brandon, Jonas, Brian, Sophia, Noah, Max, Caleb) | Team students |
apex-student-mentors |
Omesh's email | HS volunteer mentors |
How to create a group:
1. Access controls → Groups → Create group.
2. Group name: e.g., apex-mentors
3. Include rule: Selector = Emails → add each person's email address.
4. Save.
Important: Store the email-to-group mapping in your board password manager or secretary's offline sheet — not in git (per existing policy in rbac-groups.md).
Step 7: Create Access Policies — ~10 min¶
Policies determine who can reach docs.apexstem.org.
Option A: Single application, everyone allowed (simpler — recommended for Year 1)
Since MkDocs doesn't support path-based access control natively, and Cloudflare path policies require separate applications per path:
- Access controls → Applications → find your existing
docs.apexstem.orgapplication → Edit. - Under Policies, edit (or replace) the existing
Apex trusteespolicy: - Policy name:
All approved users - Action: Allow
- Include: Add each Access Group:
apex-adminapex-boardapex-mentorsapex-parents-ridge-racersapex-students-ridge-racersapex-student-mentors
- Under Authentication, enable both:
Auth0 Email/PasswordOne-time PIN- Save.
Option B: Path-based policies (later — requires separate Access applications per path)
Defer this to after you've confirmed the wiki auth banner is working. See rbac-groups.md for the planned path policy table.
Step 8: Pre-create Auth0 user accounts — ~15 min¶
Users need Auth0 accounts before they can log in.
- In Auth0 dashboard → User Management → Users → Create User.
- For each person:
- Email: their email address
- Password: set a temporary password (they can reset it)
- Connection:
Username-Password-Authentication(default) - Click Create.
Users to create:
| Name | Role | Auth0 account email |
|---|---|---|
| Alex Seto | Admin / Lead mentor | (your email) |
| (Trustee 2) | Board | (their email) |
| (Trustee 3) | Board | (their email) |
| Omesh Cholan | Student mentor | (his email — get from parent) |
| Brandon | Student | (their email) |
| Jonas | Student | (their email) |
| Brian | Student | (their email) |
| Sophia | Student | (their email) |
| Noah | Student | (their email) |
| Max | Student | (their email) |
| Caleb | Student | (their email) |
| (Parents) | Parent | (each parent's email) |
Alternative: Let users self-register. In Auth0, you can enable the sign-up form on the login page. Then anyone can create an account, but only emails in your Cloudflare Access groups will be allowed through. This is simpler than pre-creating accounts.
To enable self-registration: 1. Auth0 → Authentication → Database → Username-Password-Authentication. 2. Ensure Disable Sign Ups is OFF (sign-ups allowed). 3. Users who sign up but aren't in a Cloudflare Access group will be blocked by Cloudflare — Auth0 lets them in, but Cloudflare's policy stops unauthorized emails.
Step 9: Test each role — ~10 min¶
Use an incognito/private browser window for each test:
- [ ] Admin email → should see full wiki
- [ ] Mentor email → should see full wiki
- [ ] Student email → should see full wiki
- [ ] Parent email → should see full wiki
- [ ] Omesh's email → should see full wiki
- [ ] Unlisted email → should be blocked by Cloudflare Access
Step 10: Send login instructions — ~5 min¶
Template message to send each user:
Subject: Access to Apex STEM wiki (docs.apexstem.org)
Hi [Name],
You now have access to the Ridge Racers / Apex STEM team wiki.
URL: https://docs.apexstem.org
To log in: 1. Go to https://docs.apexstem.org 2. Click "Auth0 Email/Password" (or "One-time PIN" if you prefer) 3. Sign in with your email and the password you were given (or create an account if prompted) 4. You can reset your password from the login page
Start here: Once logged in, go to the Start here page to find your role-specific guide.
Questions → Alex Seto
Seat count check¶
Cloudflare Access free tier: ~50 seats.
| Role | Count |
|---|---|
| Admin/board | 3 |
| Student mentor (Omesh) | 1 |
| Students | 7 |
| Parents | ~7 |
| Future mentors | ~2 |
| Total | ~20 |
Well within the 50-seat limit.
Checklist summary¶
- [ ] Auth0 tenant created
- [ ] Auth0 application configured with Cloudflare callback URL
- [ ] Auth0 added as OIDC provider in Cloudflare Access
- [ ] One-time PIN kept as backup
- [ ] Access Groups created for each role
- [ ] Emails assigned to groups (stored in password manager, not git)
- [ ] Application policy updated to allow all groups
- [ ] User accounts created in Auth0 (or self-registration enabled)
- [ ] Tested with each role in incognito
- [ ] Login instructions sent to all users
Related¶
- cloudflare_one_access_setup.md — original Cloudflare Access setup
- rbac-groups.md — RBAC group definitions
- portal/STATUS.md — implementation status
- stem-racing-links.md — STEM Racing official resources