Express

Gravatar for david.patrick@auth0.com
By David Patrick

This tutorial demonstrates how to add user login, logout, and profile to a Node.js Express application. We recommend that you log in to follow this quickstart with examples configured for your account.

I want to explore a sample app

2 minutes

Get a sample configured with your account settings or check it out on Github.

View on Github
System requirements: NodeJS 10.13+ | Express 4.17+

Configure Auth0

You will need to register your application with Auth0 in order to start authenticating users. Go to the Applications screen in the Auth0 dashboard, create a new Regular Web Application, and follow the steps below.

1. Configure Callback URL

A callback URL is an application route where Auth0 redirects users after they have authenticated. This URL must be registered with Auth0 or else users will be unable to log in to the application and will get a "Callback URL mismatch" error.

The callback URL for the application created in this quickstart is http://localhost:3000/callback. Paste that in the Allowed Callback URLs field for the application you just created.

2. Configure Logout URL

A logout URL is an application route that Auth0 can return users to after logging out. This URL must be registered with Auth0 or else users will be unable to log out of the application and will get a "misconfiguration" error.

The logout URL for the application created in this quickstart is http://localhost:3000. Paste that in the Allowed Logout URLs field for the application you just created, then scroll down and click Save Changes.

3. Get Your Application Keys

Finally, copy the following fields for your application for use in step 7:

  • Domain
  • Client ID

Integrate Auth0

4. Install Dependencies

Your application will need the express-openid-connect package which is an Auth0-maintained OIDC-compliant library for Express.

npm install express express-openid-connect --save

Was this helpful?

/

5. Configure Router

The Express OpenID Connect library provides the auth router in order to attach authentication routes to your application. You will need to configure the router with the following configuration keys:

  • authRequired - Controls whether authentication is required for all routes
  • auth0Logout - Uses Auth0 logout feature
  • baseURL - The URL where the application is served
  • secret - A long, random string used to encrypt the session cookie
  • issuerBaseURL - The Domain as a secure URL found in your Application settings
  • clientID - The Client ID found in your Application settings

Here is an example configuration using this router:

const { auth } = require('express-openid-connect');

const config = {
  authRequired: false,
  auth0Logout: true,
  baseURL: 'http://localhost:3000',
  clientID: '{yourClientId}',
  issuerBaseURL: 'https://{yourDomain}',
  secret: 'LONG_RANDOM_STRING'
};

// auth router attaches /login, /logout, and /callback routes to the baseURL
app.use(auth(config));

// req.isAuthenticated is provided from the auth router
app.get('/', (req, res) => {
  res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out')
});

Was this helpful?

/

For additional configuration options visit the API documentation.

Login

A user can now log into your application by visiting the /login route provided by the library. If you are running your project on localhost:3000 that link would be http://localhost:3000/login.

Display User Profile

To display the user's profile, your application should provide a protected route.

Add the requiresAuth middleware for routes that require authentication. Any route using this middleware will check for a valid user session and, if one does not exist, it will redirect the user to log in.

const { requiresAuth } = require('express-openid-connect');

app.get('/profile', requiresAuth(), (req, res) => {
  res.send(JSON.stringify(req.oidc.user));
});

Was this helpful?

/

Logout

A user can log out of your application by visiting the /logout route provided by the library. If you are running your project on localhost:3000 that link would be http://localhost:3000/logout.

What's next?

We put together a few examples of how to use Express OpenID Connect in more advanced use cases:

Did it work?

Any suggestion or typo?

Edit on GitHub