How to save JWT token recieved from auth0 login securely (nodejs express)

grf · October 24, 2019, 3:11pm

am new to Auth0 and trying to implement it in my regular express web application. I need to protect/validate the user before they access some of my endpoints. My understanding is that i can do this with the JWT that is returned from the login callback. I have gotten that far, but when I login, it redirects, and I’m unsure of how to pass in the access token/store it securely on the client side.

this is what my callback endpoint looks like after logging in. It returns the authorization code but I am lost from here.

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

I return this on login:

/callback?code=oi9-ZTieXo0hYL6A&state=sMJAUK4QVs7jziJ7lXvwmGKF

// Perform the final stage of authentication and redirect to previously requested URL or '/user'
router.get('/callback', function (req, res, next) {     
  passport.authenticate('auth0', function (err, user, info) {
    if (err) { return next(err); }
    if (!user) { return res.redirect('/login'); }
    req.logIn(user, function (err) {
      if (err) { return next(err); }
      const returnTo = req.session.returnTo;
      delete req.session.returnTo;  
        res.redirect('/user);
    });
  })(req, res, next);
});

where do i go from here?

this is a regular web application, and cannot be an SPA

dan.woda · October 24, 2019, 11:42pm

Hi @grf,

Welcome to the Auth0 Community Forum!

Do you need the access token on your client side? If not, you can store it securely in your backend. Could you describe your case more if this does not solve it.

Hope this helps!

Thanks,
Dan

grf · October 25, 2019, 2:59pm

I can do it entirely on the back end if need be. All i need is a way to authenticate a logged in user is attempting to access a specific endpoint.

ie. Say i have an api endpoint on my express app that returns a json string of item information like serial number, weight, etc. and I only want the users of the site to be able to see this/use this endpoint. What should i do to protect this endpoint, and still only send the json.

dan.woda · October 29, 2019, 6:41pm

If you are making requests to the endpoint from a client side app like a spa, then you will want to handle authentication from the spa. Otherwise, the backend will make the requests securely by sending the token.

This doc is helpful if you aren’t sure where your applications fit in:

Generally, if you are making requests to an api from the front end, you are using a spa + api and need to request tokens there. If you are using templates to generate web pages from the back end, then you will not need tokens client side.

dan.woda · November 12, 2019, 10:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Registration flow NodeJS backend and react native frontend Help jwt , auth0 , api	0	3308	July 22, 2020
Token exchange happens before my callback attempts the exchange JWT.io jwt , auth0 , node , nodejs , login	2	4441	August 26, 2019
Implementing Auth0 using JWT Token only JWT.io jwt	2	1266	January 17, 2023
Best Practice approach to Auth0 Refresh Token within a Express Node app Help jwt , auth0 , refresh-tokens , refresh_token	2	4514	December 25, 2018
Store Auth0 JWT in httpOnly cookie Help jwt-security , api , client , cookie	8	14597	March 24, 2020

How to save JWT token recieved from auth0 login securely (nodejs express)

Related Topics