Auth0.js custom login + NodeJS middleware

Hello! So I managed to authenticate our users with auth0.js using webAuth0.login() method. But how can I see if users are authenticated on our NodeJS application? Unfortunately, there is no clear workflow on your documentations.

function setConfig() {

    webAuth = new auth0.WebAuth({
      domain: '',
      redirectUri: '',
      clientID: 'XYZ',
      responseType: 'token'



     $('#login').click(function(e) {
        realm: 'Username-Password-Authentication',
        email: $('#email').val(),
        password: $('#password').val()
      function(err, data) {


Middleware secured():

module.exports = function () {
    return function secured (req, res, next) {
      if (req.user) { return next(); }

      req.session.returnTo = req.originalUrl;

Callback route:

router.get('/login/callback', function (req, res, next) {
    passport.authenticate('auth0', function (err, user, info) {
      if (err) { return next(err); }
      if (!user) { return res.redirect('/login'); }
      req.logIn(user, function (err) {
        if (err) { return next(err); }
      //  const returnTo = req.session.returnTo;
      //  delete req.session.returnTo;
    })(req, res, next);

EDIT 1: Whenever I hit the middleware secured() after having authenticated a user with Auth0.js v9 (webAuth.login() method), the middleware then returns a Universal Login page, as if the user has never been authenticated before.

I’ve had some issues in this area as well.
Are you handling the callback when the user returns from the login screen?

I believe it is the WebAuth.parseHash() method.

We managed to get it working by using Resource Owner Password flow and then apply the MFA Challenges using the mfa_token.

Once we had the access_token (after MFA completed succesfully), we were good to go and apply our secured() middleware!

Yet, how we use Auth0.js v9 + NodeJS Middleware remains unclear…


EDIT 1: We had to implement our custom PassportJS Strategy