API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 22nd, 2019
555
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.66 KB | None | 0 0
raw download clone embed print report
  1. # Auth0 authentication flow with an Express app and MongoDB
  2.  
  3. Goal: use your own database for users and user data, and use Auth0 for the authentication layer only.
  4.  
  5. ## Handling Auth0 user IDs
  6.  
  7. Auth0 gives each user a User ID, and your app receives this ID when a user logs in. This is a different ID than the ID that MongoDB assigns to each object in your database.
  8.  
  9. To combine Auth0 User IDs with your own users in your database, you can put the ID into your user object in one of two ways:
  10.  
  11. 1. You can disable auto-generating IDs in your user schema, and instead, when you create a new user, you provide the Auth0 user ID as the ID for the new user.
  12. 2. You can keep using your own User IDs in your app (which are automatically generated by MongoDB by default) and add a new field to your user such as `auth0_id` which contains the Auth0 user ID.
  13.  
  14. ## Integrating into Express middleware:
  15.  
  16. You need the following routes to work (they can have any name).
  17.  
  18. - login start: this is the route that immediately redirects the user to the Auth0 authentication page, where the user will perform the login.
  19. - login callback: this is the route where the Auth0 authentication page will redirect to, after the user completed authentication
  20. - logout: this route immediately redirects the user to an Auth0 logout page which instantly performs a logout and then redirects the user to the logout return url
  21. - logout return URL: this can be any URL that you want the user to return to after they performed logout
  22.  
  23. ## What the Auth0 authentication page does
  24.  
  25. - If the user has not created an account with Auth0 for your app, they can't login but they can create an account. Then, Auth0 sets a cookie and redirects to your login callback URL with an Auth0 User ID.
  26. - If the user has already created an account with your app using Auth0 before, they can login and if successful, Auth0 sets a cookie and redirects to your login callback URL with an Auth0 User ID.
  27. - If the user arrives at the Auth0 athentication page and already has a logged-in cookie, the user is immediately redirected to the login callback URL with an Auth0 User ID.
  28. - If the user fails authentication or cancels then Auth0 redirects the user to your login callback URL but it doesn't provide an Auth0 User ID.
  29.  
  30. ## Creating a user object in your database
  31.  
  32. The first time that the user is redirected back to your login callback URL after going through the Auth0 authentication page, you will not yet have a user object in your database for that user.
  33.  
  34. You need a middleware which queries the database and finds out if there is already an existing user with the corresponding Auth0 User Id.
  35.  
  36. If the user already exists in your database: attach the user object to the request object, so that the Express actions (and templates) can use it.
  37.  
  38. If the user doesn't already exist: create a new user in the database, and then
  39.  
  40. ## Using the Auth0 Passport module
  41.  
  42. The Passport module supports the Auth0 authentication strategy to handle the steps of interacting with the Auth0 API.
  43.  
  44. You don't need to use cookies manually, because the Auth0 Passport authentication strategy handles all the work of remembering the user for you. You just automatically get an Auth0 User ID to use in your app if the user has logged in.
  45.  
  46. ## Note about new user vs returning user
  47.  
  48. As far as your app is concerned, when a user arrives at the login callback URL with an Auth0 User ID, you don't know if that user has just created an account, or if it's a returning user who is logging in.
  49.  
  50. The only thing you can find out if whether you already have a user in the database with that Auth0 User ID. In other words, you can find out from the database if you've already seen this user before or not.
  51.  
  52. ## The Client ID and the Client Secret need to be set in your environment variables
  53.  
  54. The suggested solution is to use the `dotenv` module and store the environment variables in a file named `.env`.
  55.  
  56. The environment variables for Auth0 would look like this:
  57.  
  58. ```env
  59. AUTH0_CLIENT_ID=xxxxxxx
  60. AUTH0_CLIENT_SECRET=xxxxxxxx
  61. ```
  62.  
  63. ## Allowed URLs need to be configured
  64.  
  65. Allowed Callback URLs are a common source of problems if they're not configured correctly. If it's incorrect then the Auth0 error message will explain that it's caused by the allowed URLs setting.
  66.  
  67. After login or logout, Auth0 will redirect the user to the URL that you choose in the API call. But for that to work, you also need to add that URL to the Allowed Callback URLs.
  68.  
  69. To add Allowed URLs, you need to go into the Auth0 web interface and edit the settings for your particular Auth0 App.
  70.  
  71. ## Logging out
  72.  
  73. Logging out involves redirecting the user to the Auth0 logout page, which then immediately redirects back to the Logout return URL. You need to add this URL to the Allowed URLs settings.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!