Google cloud functions - auth0


I’m working on an application. The application have to be implemented using google cloud functions (on node10) and, at least for beginning, it should use free tier of auth0, which basically prevents me from using single-page approach with Lock library. I would prefer to implement it on “server” side with Universal Login.

Is there some kind of library to help me with this approach? Do you have some recommendations? Whole concept of stateless and cloud computing is something new to me and I’ve never done anything like this before.

Thanks for your replies.

Hi @inas,

Welcome to the Community!

We have quite a few quickstarts that help you work through adding authentication to most common frameworks and languages.

If you want to narrow things down to a node/express app there is really only one option for the quickstarts, this one.

Also, being free tier shouldn’t stop you from using a SPA if this is a good solution for your application, or lock (although I wouldn’t recommend going with lock unless you need it for some reason, the new universal login makes everything very simple and easy to set up).

As for the serverless component, we have some resources but I can’t find much specific to google cloud functions. Do you have specific question about it?

Hi, thanks for reply.

I cannot use node/express tutorials, as a GCF user, I cannot add middleware (well, I can pretty easily use passport or other libs by calling passport()(req, res), but that’s not really good approach :slight_smile: ).

Right now, I’ve implemented oauth using “openid-client” library, hovewer, I’m in doubt mainly for security reasons (like verifying state variable, which I cannot store on (stateless) server).

If I would like to make a SPA, how can I use universal login?


We have a SPA sdk, auth0-spa-js. You see it in use in any of our SPA quickstarts. Any of these apps (or one you build with auth0-spa-js) will utilize universal login for authentication.

I am not a GCF expert, as I have stated, but I think you should be able to serve a SPA from your function and have authentication happen in the client, and not require a statefull backend.

Yes, I’ve found it myself. I’ve been pretty much overwhelmed by all possibilities and have got lost. However, I’ve tried basic implementation of SPA I’ve found on github and somehow, it’s broken - I’m getting timeouts in one browser (Vivaldi). Others (Chromium, Firefox) works fine.

There is a FAQ mentioning this, but constants are correct, it wouldn’t work in other browsers otherwise. Any tips?

Okay, I’ve found, where the problem was.

It was not (as I’ve expected) problem with browser but with auth0 API. I’ve “accidentally” set Allowed Web Origin with trailing slash, which caused that every first login try worked fine and every other (in the same browser & user profile) not. Now it looks OK.

1 Like

Great, sounds like this one is resolved. Let us know if you have any more questions.

Hi. Thanks for your replies. After understanding how to do authentication correctly, I finished it without problem. However, right now, I’m struggling with the other part - calling an API.

There is no simple tutorial about verifying tokens on the server side without using express and its middleware (and I it would be very useful to have one!).

So, right now, I’m sending a request from browser with Authentication: Bearer ${this.props.auth0.getTokenSilently()} header, the token I get is, for example c2HJ9aKytbxhGUVeFHoy5u0YR14zPOl3.

But, I’m struggling to even understand what is this. If I understand it correctly, this should be JWT in format HEADER.PAYLOAD.SIGNATURE (ale base64 encoded). But the token string I get is not base64-encoded JSON and is so short it could not even contain kid.

So, did I miss something? How I am supposed to verify request?

Okay, so finally I solved it. For getting JWT token, I have to use audience when calling createAuth0Client. I believe this should be mentioned in tutorials and especially in documentation.

So, I hope I’m not going to ask any question anymore and I hope this may help someone in the future :slight_smile: Thnaks.

Yes, glad you figured it out. That is in fact an opaque token, not a JWT.

Hopefully someone else will find this useful! Thanks for following up with your solution.

Let us know if there is anything else we can do.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.