Security News
GitHub Removes Malicious Pull Requests Targeting Open Source Repositories
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
The auth0-js package is a JavaScript client library for integrating Auth0 authentication and authorization services into web applications. It provides a variety of methods for handling user authentication, managing user sessions, and interacting with Auth0's API.
User Authentication
This feature allows you to authenticate users by redirecting them to the Auth0 login page. The code sample demonstrates how to initialize the Auth0 client and trigger the authentication process.
const auth0 = new auth0.WebAuth({
domain: 'YOUR_AUTH0_DOMAIN',
clientID: 'YOUR_CLIENT_ID'
});
auth0.authorize({
redirectUri: 'YOUR_CALLBACK_URL',
responseType: 'token id_token',
scope: 'openid profile email'
});
Handling Authentication Callback
This feature handles the authentication callback after the user has logged in. The code sample shows how to parse the URL hash to extract authentication tokens.
auth0.parseHash((err, authResult) => {
if (authResult && authResult.accessToken && authResult.idToken) {
window.location.hash = '';
// Save the tokens in local storage or a cookie
} else if (err) {
console.error('Error parsing hash:', err);
}
});
User Logout
This feature allows you to log out users from the application. The code sample demonstrates how to trigger the logout process and redirect the user to a specified URL.
auth0.logout({
returnTo: 'YOUR_RETURN_URL',
clientID: 'YOUR_CLIENT_ID'
});
Silent Authentication
This feature allows you to silently authenticate users without redirecting them to the login page. The code sample shows how to check the user's session and obtain new tokens if needed.
auth0.checkSession({}, (err, authResult) => {
if (err) {
console.error('Error during silent authentication:', err);
} else {
// Use the authResult to get new tokens
}
});
Passport is a popular authentication middleware for Node.js. It provides a wide range of authentication strategies, including OAuth, OpenID, and more. Unlike auth0-js, which is specific to Auth0, Passport is more flexible and can be used with various authentication providers.
Firebase Authentication provides backend services for easy use of authentication in web and mobile apps. It supports various authentication methods like email/password, phone, and social providers. Compared to auth0-js, Firebase Authentication is part of the larger Firebase platform, offering more integrated services.
Client Side Javascript toolkit for Auth0 API.
If you want to read the full API documentation of auth0.js, see here.
From CDN:
<!-- Latest patch release -->
<script src="https://cdn.auth0.com/js/auth0/9.11.1/auth0.min.js"></script>
From npm:
npm install auth0-js
After installing the auth0-js
module, you'll need bundle it up along with all of its dependencies.
Provides support for all the authentication flows.
var auth0 = new auth0.WebAuth({
domain: '{YOUR_AUTH0_DOMAIN}',
clientID: '{YOUR_AUTH0_CLIENT_ID}'
});
Parameters:
'example.auth0.com'
or 'example.eu.auth0.com'
.code
, token
, id_token
. If you don't provide a global responseType
, you will have to provide a responseType
for each method that you use.'fragment'
. The parseHash
method can be used to parse authentication responses using fragment response mode. Supported values are query
, fragment
and form_post
. The query
value is only supported when responseType
is code
.false
./authorize
endpoint to start an authentication/authorization transaction.
Auth0 will call back to your application with the results at the specified redirectUri
. The default scope for this method is openid profile email
.auth0.authorize({
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order',
responseType: 'token',
redirectUri: 'https://example.com/auth/callback'
});
This method requires that your tokens are signed with RS256. Please check our Migration Guide for more information.
auth0.parseHash({ hash: window.location.hash }, function(err, authResult) {
if (err) {
return console.log(err);
}
// The contents of authResult depend on which authentication parameters were used.
// It can include the following:
// authResult.accessToken - access token for the API specified by `audience`
// authResult.expiresIn - string with the access token's expiration time in seconds
// authResult.idToken - ID token JWT containing user profile information
auth0.client.userInfo(authResult.accessToken, function(err, user) {
// Now you have the user's information
});
});
{error: 'login_required'}
.The method accepts any valid OAuth2 parameters that would normally be sent to /authorize
.
Everything happens inside an iframe, so it will not reload your application or redirect away from it.auth0.checkSession(
{
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order'
},
function(err, authResult) {
// Authentication tokens or error
}
);
The contents of authResult
are identical to those returned by parseHash()
.
Important: If you're not using the hosted login page to do social logins, you have to use your own social connection keys. If you use Auth0's dev keys, you'll always get
login_required
as an error when callingcheckSession
.
Important: Because there is no redirect in this method,
responseType: 'code'
is not supported and will throw an error.
Remember to add the URL where the authorization request originates from to the Allowed Web Origins list of your Auth0 Application in the Dashboard under your Applications's Settings.
/oauth/token
. This will not initialize a SSO session at Auth0, hence can not be used along with silent authentication.auth0.client.login(
{
realm: 'Username-Password-Authentication', //connection name or HRD domain
username: 'info@auth0.com',
password: 'areallystrongpassword',
audience: 'https://mystore.com/api/v2',
scope: 'read:order write:order'
},
function(err, authResult) {
// Auth tokens in the result or an error
}
);
The contents of authResult
are identical to those returned by parseHash()
.
Provides an API client for the Auth0 Authentication API.
var auth0 = new auth0.Authentication({
domain: '{YOUR_AUTH0_DOMAIN}',
clientID: '{YOUR_AUTH0_CLIENT_ID}'
});
/authorize
url in order to initialize a new authN/authZ transaction. https://auth0.com/docs/api/authentication#database-ad-ldap-passive-oauth/token
endpoint with password
grant type. https://auth0.com/docs/api-auth/grant/passwordoauth/token
endpoint with https://auth0.com/oauth/grant-type/password-realm
grant type.oauth/token
endpoint./userinfo
endpoint and returns the user profile.Provides an API Client for the Auth0 Management API (only methods meant to be used from the client with the user token). You should use an access_token with the https://YOUR_DOMAIN.auth0.com/api/v2/
audience to make this work. For more information, read the user management section of the Auth0.js documentation.
var auth0 = new auth0.Management({
domain: '{YOUR_AUTH0_DOMAIN}',
token: '{ACCESS_TOKEN_FROM_THE_USER}'
});
For a complete reference and examples please check our docs.
If you need help migrating to v9, please refer to the v9 Migration Guide.
If you need help migrating to v8, please refer to the v8 Migration Guide.
Run npm start
and point your browser to https://localhost:3000/example
to run the example page.
Run npm run test
to run the test suite.
Run npm run test:watch
to run the test suite while you work.
Run npm run test:coverage
to run the test suite with coverage report.
Run npm run lint
to run the linter and check code styles.
If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.
For auth0 related questions/support please use the Support Center.
This project is licensed under the MIT license. See the LICENSE file for more info.
v9.11.1 (2019-06-27)
Fixed
FAQs
Auth0 headless browser sdk
The npm package auth0-js receives a total of 35,030 weekly downloads. As such, auth0-js popularity was classified as popular.
We found that auth0-js demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 49 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub removed 27 malicious pull requests attempting to inject harmful code across multiple open source repositories, in another round of low-effort attacks.
Security News
RubyGems.org has added a new "maintainer" role that allows for publishing new versions of gems. This new permission type is aimed at improving security for gem owners and the service overall.
Security News
Node.js will be enforcing stricter semver-major PR policies a month before major releases to enhance stability and ensure reliable release candidates.