Hi! We have a React SPA with a Node backend and want to integrate it with Auth0. As a starter we want to use Auth0 DB authentication via user/pass but in the future the plan is to add support for social login. On the app side the integration journey so far has been:
auth0-jslibrary (either with redirect or pop-up). This works ok, but then we would like to customize the UI.
One way to do this is dashboard, Universal Login -> Settings. Here we can tweak the logo, primary and background color, which is nice, but we want more control over the style.
Go to Universal Login -> Log-in template. This seems to be using the Lock component, so doing some research around that I got to https://auth0.com/docs/universal-login/advanced-customization where it says “Auth0.js is the SDK used for interacting with the Auth0 authentication API. Primarily, you would use the SDK if you need to build your own custom login UI…”.
At a first glance using the JS SDK with custom domains seems to be what I’m looking for, as that would allow us to get the most seamless signup / login experience.
However, when going to the Auth0 js SDK page (https://auth0.com/docs/libraries/auth0js/v9) it mentions that it is an embedded login method, which per https://auth0.com/docs/guides/login/universal-vs-embedded is not recommended.
This brings to me a couple of questions:
Is there a way to fully customize the signup / login pages (html+css) using Universal Login? Or to do that the only way to go is to use our own forms with the auth0-js lib?
In https://auth0.com/docs/guides/login/universal-vs-embedded#embedded-login-with-auth0 the main issue seems to be the risks associated with cross-origin authentication. However, if we use custom domains to match the one of our app, that shouldn’t be an issue (and https://auth0.com/docs/cross-origin-authentication seems to corroborate that). So, is a custom form with auth0-js lib + custom domains any less secure than using the universal login? If so, can you explain why?
Thanks in advance,