Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Clearify how this package is supposed to do authz/authn on the client side. #57

Closed
ichtestemalwieder opened this issue Dec 17, 2019 · 3 comments
Labels
documentation Improvements or additions to documentation

Comments

@ichtestemalwieder
Copy link

ichtestemalwieder commented Dec 17, 2019

Description (Problem)

The library does not in any way state in the docs, how the package can be used for client side authorization or authentication, respectively that it is not suited for this use case.

As we all know, next is a framework also to be used for pure client-side js/navigation. The most voted next issue is about auth, and there is still not enough information about this topic, so people search for solutions (like this library).

As the cookie itself is only serverside: This means,

  • No way to show conditional content based on roles/scopes
  • No way to do authz on routes clientside
  • No checks on the timeout of a token (when a client is only doing client side nav/actions based on cached data)
  • In effect everyting regarding authz/authn needs to be delegated to the server, which imposes lots of overhead.

I am aware of that httpOnly Cookies are "more secure", but this kind of security is not required for all use-cases: A we all know there is the OICD implicit flow or Auth Code + PKCE, so it is a valide use-case to have client side tokens...

Please clarify these information in the docs very prominently, otherwise its a huge disappointement if one installs the package and then realizes that this package requires a complete different architecture for SPA (authz/authn is completely shifted to the server).

Furthermore it should be documented how then client side authz/authn should be implemented with examples. Thanks.

@erikdstock
Copy link

I've been looking at next.js this weekend and wondered the same thing, so I ported over my approach from gatsby-theme-auth0-ts. It appears to work here, but I'd like feedback from the team or anyone interested in kicking the tyres.

I used the auth0-js package instead of https://github.com/auth0/auth0-spa-js because again, I was reusing a previous approach.

Feedback appreciated as I don't want to go too far without getting this right!
https://github.com/erikdstock/nextjs-auth0-client-example

@sir-dunxalot
Copy link

sir-dunxalot commented Apr 1, 2020

Hi all. Any update on this? I use Auth0 because I'm not that familiar with the nuances of authentication and I'm worried my Next & Auth0 apps aren't correctly authenticated client-side.

Possible solutions include:

  • Adding a warning to documentation, if applicable, saying "Note: You must implement your own client-side auth using Auth0's JS library"
  • Pointing users to implement a second Auth0 library when ssr: false
  • Linking to an officially-endorsed implementation example

I understand this library is experimental but IMO the docs should still be clear about what the library does and doesn't do.

Edit: for now I'm following sandrinodimattia/nextjs-auth0-example.

@Widcket
Copy link
Contributor

Widcket commented Jan 16, 2021

Hi everyone, with the new v1.0.0-beta.0 release we have documented a way to use an access token from the frontend. However, keep in mind that it is less secure than proxying the requests through API routes, as the access token could be stolen via XSS.
Please read Comparison with auth0-react, as auth0-react might be a better fit for your projects if that's the primary way of fetching data in your applications.

@Widcket Widcket closed this as completed Jan 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

5 participants