How to save JWT token recieved from auth0 login securely (nodejs express)

grf · October 24, 2019, 3:11pm

am new to Auth0 and trying to implement it in my regular express web application. I need to protect/validate the user before they access some of my endpoints. My understanding is that i can do this with the JWT that is returned from the login callback. I have gotten that far, but when I login, it redirects, and I’m unsure of how to pass in the access token/store it securely on the client side.

this is what my callback endpoint looks like after logging in. It returns the authorization code but I am lost from here.

https://auth0.com/docs/api-auth/tutorials/authorization-code-grant

I return this on login:

/callback?code=oi9-ZTieXo0hYL6A&state=sMJAUK4QVs7jziJ7lXvwmGKF

// Perform the final stage of authentication and redirect to previously requested URL or '/user'
router.get('/callback', function (req, res, next) {     
  passport.authenticate('auth0', function (err, user, info) {
    if (err) { return next(err); }
    if (!user) { return res.redirect('/login'); }
    req.logIn(user, function (err) {
      if (err) { return next(err); }
      const returnTo = req.session.returnTo;
      delete req.session.returnTo;  
        res.redirect('/user);
    });
  })(req, res, next);
});

where do i go from here?

this is a regular web application, and cannot be an SPA

dan.woda · October 24, 2019, 11:42pm

Hi @grf,

Welcome to the Auth0 Community Forum!

Do you need the access token on your client side? If not, you can store it securely in your backend. Could you describe your case more if this does not solve it.

Hope this helps!

Thanks,
Dan

grf · October 25, 2019, 2:59pm

I can do it entirely on the back end if need be. All i need is a way to authenticate a logged in user is attempting to access a specific endpoint.

ie. Say i have an api endpoint on my express app that returns a json string of item information like serial number, weight, etc. and I only want the users of the site to be able to see this/use this endpoint. What should i do to protect this endpoint, and still only send the json.

dan.woda · October 29, 2019, 6:41pm

If you are making requests to the endpoint from a client side app like a spa, then you will want to handle authentication from the spa. Otherwise, the backend will make the requests securely by sending the token.

This doc is helpful if you aren’t sure where your applications fit in:

Generally, if you are making requests to an api from the front end, you are using a spa + api and need to request tokens there. If you are using templates to generate web pages from the back end, then you will not need tokens client side.

Topic		Replies	Views
Stateless JWT auth for Vuejs and Express App Get Help jwt , vuejs , express-jwt	2	4677	July 25, 2019
Is it possible to get a JWT via a backend server and pass it to the front end client? JWT.io	4	5409	February 14, 2020
Store Auth0 JWT in httpOnly cookie Get Help jwt-security , api , client , cookie	8	15729	March 24, 2020
How to authorize loggedin user from client on server side? Get Help jwt , auth0-spa-js	5	3259	April 4, 2021
Registration flow NodeJS backend and react native frontend Get Help jwt , auth0 , api	0	3366	July 22, 2020

How to save JWT token recieved from auth0 login securely (nodejs express)

Related topics