auth0-js

What is auth0-js?

The auth0-js package is a JavaScript client library for integrating Auth0 authentication and authorization services into web applications. It provides a variety of methods for handling user authentication, managing user sessions, and interacting with Auth0's API.

What are auth0-js's main functionalities?

User Authentication

This feature allows you to authenticate users by redirecting them to the Auth0 login page. The code sample demonstrates how to initialize the Auth0 client and trigger the authentication process.

const auth0 = new auth0.WebAuth({
  domain: 'YOUR_AUTH0_DOMAIN',
  clientID: 'YOUR_CLIENT_ID'
});

auth0.authorize({
  redirectUri: 'YOUR_CALLBACK_URL',
  responseType: 'token id_token',
  scope: 'openid profile email'
});

Handling Authentication Callback

This feature handles the authentication callback after the user has logged in. The code sample shows how to parse the URL hash to extract authentication tokens.

auth0.parseHash((err, authResult) => {
  if (authResult && authResult.accessToken && authResult.idToken) {
    window.location.hash = '';
    // Save the tokens in local storage or a cookie
  } else if (err) {
    console.error('Error parsing hash:', err);
  }
});

User Logout

This feature allows you to log out users from the application. The code sample demonstrates how to trigger the logout process and redirect the user to a specified URL.

auth0.logout({
  returnTo: 'YOUR_RETURN_URL',
  clientID: 'YOUR_CLIENT_ID'
});

Silent Authentication

This feature allows you to silently authenticate users without redirecting them to the login page. The code sample shows how to check the user's session and obtain new tokens if needed.

auth0.checkSession({}, (err, authResult) => {
  if (err) {
    console.error('Error during silent authentication:', err);
  } else {
    // Use the authResult to get new tokens
  }
});

Other packages similar to auth0-js

passport

Passport is a popular authentication middleware for Node.js. It provides a wide range of authentication strategies, including OAuth, OpenID, and more. Unlike auth0-js, which is specific to Auth0, Passport is more flexible and can be used with various authentication providers.

firebase-auth

Firebase Authentication provides backend services for easy use of authentication in web and mobile apps. It supports various authentication methods like email/password, phone, and social providers. Compared to auth0-js, Firebase Authentication is part of the larger Firebase platform, offering more integrated services.

README

auth0.js

Client Side Javascript toolkit for Auth0 API.

If you want to read the full API documentation of auth0.js, see here.

Index

1. Install
2. auth0.WebAuth
3. auth0.Authentication
4. auth0.Management
5. Documentation
6. Migration
7. Develop
8. Issue Reporting
9. Author
10. License

Install

From CDN:

<!-- Latest patch release -->
<script src="https://cdn.auth0.com/js/auth0/9.12.2/auth0.min.js"></script>

From npm:

npm install auth0-js

After installing the auth0-js module, you'll need bundle it up along with all of its dependencies.

auth0.WebAuth

Provides support for all the authentication flows.

Initialize

var auth0 = new auth0.WebAuth({
  domain: '{YOUR_AUTH0_DOMAIN}',
  clientID: '{YOUR_AUTH0_CLIENT_ID}'
});

Parameters:

• domain {REQUIRED, string}: Your Auth0 account domain such as 'example.auth0.com' or 'example.eu.auth0.com'.
• clientID {REQUIRED, string}: The Client ID found on your Application settings page.
• redirectUri {OPTIONAL, string}: The URL where Auth0 will call back to with the result of a successful or failed authentication. It must be whitelisted in the "Allowed Callback URLs" in your Auth0 Application's settings.
• scope {OPTIONAL, string}: The default scope used for all authorization requests.
• audience {OPTIONAL, string}: The default audience, used if requesting access to an API.
• responseType {OPTIONAL, string}: Response type for all authentication requests. It can be any space separated list of the values code, token, id_token. If you don't provide a global responseType, you will have to provide a responseType for each method that you use.
• responseMode {OPTIONAL, string}: The default responseMode used, defaults to 'fragment'. The parseHash method can be used to parse authentication responses using fragment response mode. Supported values are query, fragment and form_post. The query value is only supported when responseType is code.
• _disableDeprecationWarnings {OPTIONAL, boolean}: Indicates if deprecation warnings should be output to the browser console, defaults to false.
• maxAge {OPTIONAL, number}: Used during token validation. Specifies the maximum elapsed time in seconds since the last time the user was actively authenticated by the authorization server. If the elapsed time is greater than this value, the token is considered invalid and the user must be re-authenticated.
• leeway {OPTIONAL, number}: Used during ID token validation. Specifies the number of seconds to account for clock skew when validating time-based claims such as iat and exp. The default is 60 seconds.

API

• authorize(options): Redirects to the /authorize endpoint to start an authentication/authorization transaction. Auth0 will call back to your application with the results at the specified redirectUri. The default scope for this method is openid profile email.

auth0.authorize({
  audience: 'https://mystore.com/api/v2',
  scope: 'read:order write:order',
  responseType: 'token',
  redirectUri: 'https://example.com/auth/callback'
});

• parseHash(options, callback): Parses a URL hash fragment to extract the result of an Auth0 authentication response.

This method requires that your tokens are signed with RS256. Please check our Migration Guide for more information.

auth0.parseHash({ hash: window.location.hash }, function(err, authResult) {
  if (err) {
    return console.log(err);
  }

  // The contents of authResult depend on which authentication parameters were used.
  // It can include the following:
  // authResult.accessToken - access token for the API specified by `audience`
  // authResult.expiresIn - string with the access token's expiration time in seconds
  // authResult.idToken - ID token JWT containing user profile information

  auth0.client.userInfo(authResult.accessToken, function(err, user) {
    // Now you have the user's information
  });
});

• checkSession(options, callback): Allows you to acquire a new token from Auth0 for a user who already has an SSO session established against Auth0 for your domain. If the user is not authenticated, the authentication result will be empty and you'll receive an error like this: {error: 'login_required'}.The method accepts any valid OAuth2 parameters that would normally be sent to /authorize. Everything happens inside an iframe, so it will not reload your application or redirect away from it.

auth0.checkSession(
  {
    audience: 'https://mystore.com/api/v2',
    scope: 'read:order write:order'
  },
  function(err, authResult) {
    // Authentication tokens or error
  }
);

The contents of authResult are identical to those returned by parseHash().

Important: If you're not using the hosted login page to do social logins, you have to use your own social connection keys. If you use Auth0's dev keys, you'll always get login_required as an error when calling checkSession.

Important: Because there is no redirect in this method, responseType: 'code' is not supported and will throw an error.

Remember to add the URL where the authorization request originates from to the Allowed Web Origins list of your Auth0 Application in the Dashboard under your Applications's Settings.

• client.login(options, callback): Authenticates a user with username and password in a realm using /oauth/token. This will not initialize a SSO session at Auth0, hence can not be used along with silent authentication.

auth0.client.login(
  {
    realm: 'Username-Password-Authentication', //connection name or HRD domain
    username: 'info@auth0.com',
    password: 'areallystrongpassword',
    audience: 'https://mystore.com/api/v2',
    scope: 'read:order write:order'
  },
  function(err, authResult) {
    // Auth tokens in the result or an error
  }
);

The contents of authResult are identical to those returned by parseHash().

auth0.Authentication

Provides an API client for the Auth0 Authentication API.

Initialize

var auth0 = new auth0.Authentication({
  domain: '{YOUR_AUTH0_DOMAIN}',
  clientID: '{YOUR_AUTH0_CLIENT_ID}'
});

API

• buildAuthorizeUrl(options): Builds and returns the /authorize url in order to initialize a new authN/authZ transaction. https://auth0.com/docs/api/authentication#database-ad-ldap-passive-
• buildLogoutUrl(options): Builds and returns the Logout url in order to initialize a new authN/authZ transaction. https://auth0.com/docs/api/authentication#logout
• loginWithDefaultDirectory(options, cb): Makes a call to the oauth/token endpoint with password grant type. https://auth0.com/docs/api-auth/grant/password
• login(options, cb): Makes a call to the oauth/token endpoint with https://auth0.com/oauth/grant-type/password-realm grant type.
• oauthToken(options, cb): Makes a call to the oauth/token endpoint.
• userInfo(token, cb): Makes a call to the /userinfo endpoint and returns the user profile.

auth0.Management

Provides an API Client for the Auth0 Management API (only methods meant to be used from the client with the user token). You should use an access_token with the https://YOUR_DOMAIN.auth0.com/api/v2/ audience to make this work. For more information, read the user management section of the Auth0.js documentation.

Initialize

var auth0 = new auth0.Management({
  domain: '{YOUR_AUTH0_DOMAIN}',
  token: '{ACCESS_TOKEN_FROM_THE_USER}'
});

API

• getUser(userId, cb): Returns the user profile. https://auth0.com/docs/api/management/v2#!/Users/get_users_by_id
• patchUserMetadata(userId, userMetadata, cb): Updates the user metadata. It will patch the user metadata with the attributes sent. https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
• patchUserAttributes(userId, user, cb): Updates the user attributes. It will patch the root attributes that the server allows it. To check what attributes can be patched, go to https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
• linkUser(userId, secondaryUserToken, cb): Link two users. https://auth0.com/docs/api/management/v2#!/Users/post_identities

Documentation

For a complete reference and examples please check our docs.

Migration

If you need help migrating to v9, please refer to the v9 Migration Guide.

If you need help migrating to v8, please refer to the v8 Migration Guide.

Develop

Run yarn install to set up the environment.

Run yarn start to point your browser to https://localhost:3000/ to verify the example page works.

Run yarn test to run the test suite.

Run yarn ci:test to run the tests that ci runs.

Run yarn test:watch to run the test suite while you work.

Run yarn test:coverage to run the test suite with coverage report.

Run yarn lint to run the linter and check code styles.

Run yarn install && yarn build && yarn test:es-check:es5 && yarn test:es-check:es2015:module to check for JS incompatibility.

See .circleci/config.yml for additional checks that might be run as part of circleci integration tests.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

For auth0 related questions/support please use the Support Center.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

Changelog

v9.12.2 (2020-01-14)

Full Changelog

Changed

• [SDK-1266] Bumped idtoken-verifier to latest patch #1073 (stevehobbsdev)

Security

• [Security] Bump handlebars from 4.1.2 to 4.5.3 #1068 (dependabot-preview[bot])