To set up Auth0 for authentication in a Next.js app, follow these detailed steps:
Sign up and Create an Auth0 Application
- Go to the Auth0 website and sign up for a free account or log in if you already have one.
- Once logged in, go to the Auth0 Dashboard and click on "Applications" in the sidebar.
- Click the âCreate Applicationâ button.
- Name your application (e.g., "Next.js App").
- Choose the application type as "Regular Web Application" since Next.js has its own backend rendering and API routes.
- Click âCreateâ to finish the application setup.
Configure Application Settings in Auth0
- Go to the Settings tab for your created application.
- Note the following important credentials that you will need:
- Domain (e.g., your-tenant.auth0.com)
- Client ID
- Client Secret
- Configure Allowed Callback URLs by specifying where Auth0 should redirect users after login. For development, use:
- http://localhost:3000/api/auth/callback
- Configure Allowed Logout URLs to tell Auth0 where to redirect users after logout:
- http://localhost:3000
- Configure Allowed Web Origins to specify the origin of your app:
- http://localhost:3000
- Save the changes.
Set Environment Variables for Next.js
- In your Next.js project root directory, create a file named `.env.local` to store your Auth0 credentials securely.
- Add the following environment variables, replacing placeholder values with your actual Auth0 credentials:
AUTH0_SECRET=your-generated-secret-key
AUTH0_BASE_URL=http://localhost:3000
AUTH0_ISSUER_BASE_URL=https://your-auth0-domain
AUTH0_CLIENT_ID=your-auth0-client-id
AUTH0_CLIENT_SECRET=your-auth0-client-secret
- Generate a strong secret key for `AUTH0_SECRET` by running the following command in your terminal:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
- Make sure to restart your Next.js development server after adding environment variables.
Install Required Auth0 SDK in Next.js
- Using your terminal, run:
npm install @auth0/nextjs-auth0
- This package facilitates authentication flows and session management between your Next.js app and Auth0.
Set up Authentication API Routes
- In your Next.js project, create a folder structure under `pages/api/auth/` or for App Router under `app/api/auth/[...auth0]/route.ts` depending on your Next.js version.
- With the App Router approach (Next.js 13+), create the file `app/api/auth/[auth0]/route.ts` with the following content:
typescript
import { handleAuth } from '@auth0/nextjs-auth0';
export const GET = handleAuth();
export const POST = handleAuth();
- This will automatically create routes for login (`/api/auth/login`), logout (`/api/auth/logout`), callback (`/api/auth/callback`), and session user info (`/api/auth/me`).
Using Authentication in Your Next.js App
- To initiate login, use the login API route in a client component or page:
jsx
import Link from 'next/link';
export default function LoginButton() {
return Log in;
}
- To logout:
jsx
import Link from 'next/link';
export default function LogoutButton() {
return Log out;
}
- To access the authenticated user's session on the client side, you can call an endpoint like `/api/auth/me` or use helper hooks from the SDK if available.
Protecting Pages and Fetching User Session
- To protect server-side rendered pages and fetch the user session, leverage Next.js API route methods via SDK helpers.
- You can wrap your API or page handlers to check if a user is authenticated and redirect or show unauthorized access otherwise.
Example fetching session in `getServerSideProps`:
js
import { getSession } from '@auth0/nextjs-auth0';
export async function getServerSideProps({ req, res }) {
const session = getSession(req, res);
if (!session?.user) {
return {
redirect: {
destination: '/api/auth/login',
permanent: false,
}
};
}
return {
props: { user: session.user }
};
}
Customize Auth0 Login Experience
- Auth0 provides Universal Login, a hosted login page customizable from the dashboard.
- You can configure branding, social login options, and multi-factor authentication in the Auth0 dashboard settings.
- Redirects and callback URLs ensure users return to your Next.js app seamlessly after login or logout.
Deploying to Production
- When deploying the Next.js app, update your Auth0 application URLs (Callback, Logout, Web Origins) to reflect your production domain.
- Set environment variables in your production server or hosting platform accordingly.
- Ensure HTTPS is enabled for security in production environment URLs.
Additional Enhancements
- Implement role-based access control (RBAC) using Auth0 rules or Auth0 Authorization Core.
- Use Auth0 hooks for advanced customizations like modifying tokens or user profile claims.
- Leverage SDK events to handle session expiration and refresh tokens.
Summary of Key Steps:
1. Create Auth0 application and configure Allowed URLs.
2. Set up environment variables securely in `.env.local`.
3. Install `@auth0/nextjs-auth0` SDK.
4. Create API routes to handle authentication.
5. Use login/logout endpoints within your Next.js UI.
6. Protect pages by checking user session server-side.
7. Customize Auth0 Universal Login for user experience.
8. Adjust URLs and secrets for production deployment.