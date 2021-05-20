About the author Systems engineer from Buenos Aires, Argentina, with 15+ years of experience in software development. Full Stack developer. Auth0 ambassador. GitKraken… More about Facundo ↬

Once our verification and authorization are added to our web applications, there are a few things we need to evaluate, such as whether we need to create our own security platform and whether we can rely on an existing third-party service. Let’s see how we can implement authentication and authorization in Next.js applications with Auth0.

“Authentication” is the act of confirming that a user is who he or she claims to be. We usually do this by implementing a credential system, such as user / password, security questions or even face recognition.

“Authorization” determines what a user can (or can not) do. If we are to handle authentication and authorization in our web application, we need a security platform or module. We can develop, implement and maintain our own platform. Or we can use existing authentication and authorization platforms in the market that are offered as services.

When considering whether it’s better for us to create our own platform, or to use a third party service, there are a few things to consider:

Designing and creating authentication services is not our core skill. There are people who are specially focused on security topics that can create better and safer platforms than us;

We can save time by relying on an existing authentication platform and devoting value to the products and services we care about;

We do not store sensitive information in our databases. We separate it from all the data involved in our applications;

The tools that third-party services offer have improved usability and performance, making it easier for us to manage the users of our application.

Taking these factors into account, we can say that relying on third-party authentication platforms can be easier, cheaper, and even more secure than creating our own security module.

In this article we will see how you can implement authentication and authorization in our Next.js applications using one of the existing products in the market: Auth0.

What is Auth0?

It allows you to add security to applications developed using any programming language or technology.

“Auth0 is a flexible inlet solution to add authentication and authorization services to your applications.” – In Arias, auth0.com

Auth0 has several interesting features, such as:

Single sign-on : Once you log in to an application that uses Auth0, you do not have to re-enter your credentials when you enter another one that also uses it. You will be automatically logged in to everyone;

: Once you log in to an application that uses Auth0, you do not have to re-enter your credentials when you enter another one that also uses it. You will be automatically logged in to everyone; Social login : Verify using your preferred social networking profile;

: Verify using your preferred social networking profile; Multifactor authentication ;

; Several standard protocols allowed, such as OpenID Connect, JSON Web Token or OAuth 2.0;

allowed, such as OpenID Connect, JSON Web Token or OAuth 2.0; Reporting and analysis tools.

There is a free plan you can use to secure your web applications, covering up to 7000 monthly active users. You will start paying as the number of users increases.

Another cool thing about Auth0 is that we have a Next.js SDK available to use in our app. With this library, created specifically for Next.js, we can easily connect to the Auth0 API.

Auth0 SDK for Next.js

As we mentioned before, Auth0 has created (and maintains) a Next.js-focused SDK, including SDKs that are available to connect to the API using different programming languages. We just need the NPM package, set up some details about our Auth0 account and connection, and we’re off to a good start.

This SDK provides tools to implement authentication and authorization using both client and server-side methods, using API routes at the back and React Context with React Hooks at the front.

Let’s see how some of these work in an example of the Next.js application.

Example Next.js app using Auth0

Let’s go back to our previous video platform example and create a small app to show you how to use Auth0 Next.js SDK. We will set up Auth0’s universal login. We’ll have some YouTube video URLs. They will be hidden under an authentication platform. Only registered users can see the list of videos through our web application.

please note: This article focuses on setting up and using Auth0 in your Next.js application. We will not include details such as CSS styling or database usage. If you want to see the full code of the sample program, you can go to this GitHub repository.

Create Auth0 account and set app details

First, we need to create an Auth0 account using the Sign in page.

Let’s then go to the Auth0 Dashboard. Go to Applications and create a new app of the type [“Regular Web Applications”].

Let’s now go to the Institutions page of the application and under the Application URIs section, set the following details and save the changes:

Allowed callback URLs : add http://localhost:3000/api/auth/callback

: add Allowed unsubscribe URLs: add http://localhost:3000/

By doing so, we set the URL to which we want to redirect users after logging in to our site (Callback), and the URL to which we redirect users after logging out (Logout). We need to add the production URLs when we implement the final version of our program on the hosting server.

Auth0 Dashboard has many configurations and customizations that we can apply to our projects. We can change the type of authentication we use, the login / login page, the data we request for the users, enable / disable new registrations, configure users’ databases, and so on.

Create Next.js program

We will use it to create a brand new Next.js app create-next-app, which automatically configures everything for you. Start creating the project:

npx create-next-app [name-of-the-app]

Or

yarn create next-app [name-of-the-app]

Navigate to the new folder you created to launch the Developer Server locally and see the site just created in your browser:

cd [name-of-the-app]

And run:

npm run dev

Or

yarn dev

Install and configure the Auth0 Next.js SDK

Let’s install the Auth0 Next.js SDK in our app:

npm install @auth0/nextjs-auth0

Or

yarn add @auth0/nextjs-auth0

Let’s now add these variables to our env.local file (or the environment variable menu of our hosting platform):

AUTH0_SECRET="[A 32 characters secret used to encrypt the cookies]" AUTH0_BASE_URL="http://localhost:3000" AUTH0_ISSUER_BASE_URL="https://[Your tenant domain. Can be found in the Auth0 dashboard under settings]" AUTH0_CLIENT_ID="[Can be found in the Auth0 dashboard under settings]" AUTH0_CLIENT_SECRET="[Can be found in the Auth0 dashboard under settings]"

If you want more configuration options, you can do so look at the documents.

Create the Dynamic API route

Next.js provides a way to create serverless APIs: API routes. With this feature we can create code that will be executed in each user request to our routes. We can define fixed routes, such as /api/index.js . But we can also have dynamic API routes, with params that we can use in our API route code, such as /api/blog/[postId].js .

Let’s create the file /pages/api/auth/[...auth0].js , which will be a dynamic API route. Let us import the file into the file handleAuth method from the Auth0 SDK, and execute the result:

import { handleAuth } from '@auth0/nextjs-auth0'; export default handleAuth();

It will create and manage the following routes:

/api/auth/login To log in or log in to Auth0.

To log in or log in to Auth0. /api/auth/logout To log out the user.

To log out the user. /api/auth/callback To redirect the user to a successful login.

To redirect the user to a successful login. /api/auth/me To get the user profile information.

And this is the server side of our app. If we want to sign in to our application or sign up for a new account, we need to visit it http://localhost:3000/api/auth/login . We need to add a link to the route in our app. Same if you unsubscribe from our website: Add a link http://localhost:3000/api/auth/logout .

Add the UserProvider component

To manage the status of user authentication in front of our web application, we can use UserProvider Responding component, available on Auth0 Next.js SDK. use the component Respond context intern.

If you want to access the user authentication state on a component, you must do so with a UserProvider component.

<UserProvider> <Component {...props} /> </UserProvider>

If we want to access all the pages in our application, we need to add the component to the pages/_app.js file. pages/_app.js the React dominates App component. This is a feature that exposes Next.js to customize our application. You can read more about it here.

import React from 'react'; import { UserProvider } from '@auth0/nextjs-auth0'; export default function App({ Component, pageProps }) { return ( <UserProvider> <Component {...pageProps} /> </UserProvider> ); }

We have a React hook useUser access to the authentication state provided by UserProvider . We can use it, for example, to create a kind of welcome page. Let’s change the code of the pages/index.js file:

import { useUser } from "@auth0/nextjs-auth0"; export default () => { const { user, error, isLoading } = useUser(); if (isLoading) return <div>Loading...</div>; if (error) return <div>{error.message}</div>; if (user) { return ( <div> <h2>{user.name}</h2> <p>{user.email}</p> <a href="https://smashingmagazine.com/api/auth/logout">Logout</a> </div> ); } return <a href="http://smashingmagazine.com/api/auth/login">Login</a>; };

The user object contains information related to the user’s identity. If the person visiting the page is not logged in (we do not have a user object available), we will display a link to the login page. If the user has already been verified, we will display it user.name and user.email properties on the page, and a sign-out link.

Let’s create a videos.js file with a list of three YouTube video URLs that are only visible to registered people. We will use it to log in users who see this page only withPageAuthRequired method from the SDK.

import { withPageAuthRequired } from "@auth0/nextjs-auth0"; export default () => { return ( <div> <a href="https://www.youtube.com/watch?v=5qap5aO4i9A">LoFi Music</a> <a href="https://www.youtube.com/watch?v=fEvM-OUbaKs">Jazz Music</a> <a href="https://www.youtube.com/watch?v=XULUBg_ZcAU">Piano Music</a> </div> ); }; export const getServerSideProps = withPageAuthRequired();

Please note that our web application allows any person to sign up for an account using the Auth0 platform. The user can also reuse an existing Auth0 account as we implement Universal Login.

We may set up our own registration page to request more information about the user, or add payment information to pay them monthly for our service. We may also use the methods exposed in the SDK to handle authorization automatically.

Closure

In this article, we looked at how to secure Next.js applications using Auth0, an authentication and authorization platform. We evaluate the benefits of using a third-party service for verifying our web applications compared to creating our own security platform. We created an example of Next.js app and secured it using Auth0 free plan and Auth0 Next.js SDK.

If you want to implement an Auth0 sample application after Vercel, you can do it here.

