Auth0 isn’t just another login box; it’s a system that decouples authentication and authorization from your application, letting you focus on building features instead of managing user credentials.
Here’s Auth0 in action, setting up a basic application and getting the first user logged in.
First, you’ll need an Auth0 account. Go to auth0.com and sign up. Once logged in, navigate to the "Applications" section and click "Create Application."
For this example, we’ll choose "Regular Web Application." Give it a name, like "My First App," and click "Create."
Auth0 then presents you with a dashboard. The key pieces of information you’ll need are your "Domain" and "Client ID." You can find these on the "Settings" tab of your newly created application. For instance, your domain might look like your-tenant-name.us.auth0.com, and your Client ID will be a long string of characters.
Now, let’s set up a simple Node.js application to integrate with Auth0. Install the express and express-session packages, and importantly, the auth0 package:
npm install express express-session auth0 dotenv
Create a .env file in your project root to store your Auth0 credentials securely:
AUTH0_DOMAIN=your-tenant-name.us.auth0.com
AUTH0_CLIENT_ID=your-client-id-here
AUTH0_CLIENT_SECRET=your-client-secret-here
SESSION_SECRET=a-very-secret-string-for-your-session
Important: You’ll need to generate a AUTH0_CLIENT_SECRET from your Auth0 application’s settings page. Find the "Advanced Settings" -> "API" tab, and under "Application Keys," click "Create Application Key." Copy the generated secret.
Now, set up your app.js file:
require('dotenv').config();
const express = require('express');
const session = require('express-session');
const { auth } = require('express-openid-connect');
const app = express();
const config = {
authRequired: false,
auth0Logout: true,
secret: process.env.SESSION_SECRET,
baseURL: 'http://localhost:3000', // Your application's URL
clientID: process.env.AUTH0_CLIENT_ID,
issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}`
};
// auth0 middleware
app.use(auth(config));
// Middleware to make user info available in templates
app.use((req, res, next) => {
res.locals.user = req.oidc.user;
next();
});
// Routes
app.get('/', (req, res) => {
res.send(
res.locals.user ?
`Welcome ${res.locals.user.name}! <a href="/logout">Logout</a>` :
'<a href="/login">Login</a>'
);
});
app.get('/profile', (req, res) => {
if (!req.oidc.isAuthenticated()) {
return res.redirect('/login');
}
res.json(req.oidc.user);
});
const port = process.env.PORT || 3000;
app.listen(port, () => {
console.log(`Server listening on port ${port}`);
});
In your Auth0 application settings, under "Application URIs," make sure to add http://localhost:3000/callback to both "Allowed Callback URLs" and "Allowed Logout URLs."
Run your Node.js application:
node app.js
Visit http://localhost:3000 in your browser. You’ll see a "Login" link. Clicking it redirects you to Auth0’s hosted login page. After entering your credentials (or signing up), Auth0 redirects you back to your application, and you’ll see "Welcome [Your Name]! Logout."
The express-openid-connect library handles the OpenID Connect flow. When you initialize it with your config, it sets up routes for /login, /logout, and /callback. The /callback route is where Auth0 sends the user back after successful authentication, exchanging an authorization code for tokens. The library then stores user information in the session and makes it available via req.oidc.user.
The most surprising thing about this setup is how little application code is needed to handle complex authentication flows like social logins, passwordless authentication, or multi-factor authentication; Auth0 provides these out-of-the-box and your application code remains largely the same.
The config.baseURL is critical; it must match the scheme and host/port your application is running on, and it’s used by Auth0 to construct the correct redirect URIs. If this is incorrect, you’ll often see errors related to invalid redirect_uri.
The next step is to explore role-based access control and how to use Auth0’s authorization features.