As far as I can tell the docs for nextjs-auth0 all involve adding a .env.local (see: Auth0 Next.js SDK Quickstarts: Login).
First question is, it would be good to confirm that the “secret” values are indeed secret - as in they should be treated as secrets, not exposed anywhere.
The second main question, assuming the answer above is “yes, these need to be treated as secrets not exposed anywhere and following best practices” is how should I be configuring the if these values are NOT store in environment variables? Are there other options?
For context, the issue here is that I’m using this in a Next.js project hosted in AWS Lambda - I can not put secrets in environment variables, and need to have them resolved at runtime. I have, basically, an async function getTheAuth0Sercrets() that iwll return these secrets for me, but again they aren’t available in process.env.
Any advice, wisdom, etc, would be much appreciated!
p.s. Just a bit of extra info for anybody who finds this googling, I’m using CDK to deploy, and using the custom layer implemented here to fetch (cached) SecureString values from Parameter Store / SSM.
Lambda, as of now, doesn’t allow you to feed Secret’s directly into functions and have them resolved automatically, so you either have to store the Auth0 secrets as non-secrest to have them deployed in the environment, or you need to fetch them at runtime, which is the recommended approach as far as I am aware.