β
This article was written in 2021, some of the content may be outdated when you read it.
Let's explore how we can integrate user authentication in a serverless Next.js app using Auth0 in a really simple way. We will be using a package called `@auth0/nextjs-auth0` which was built to support user authentication in Next.js using Auth0 and will get us up and running in no time.
One of my recent side projects was building a full-stack serverless Next.js e-commerce site. This site included user authentication and you may be thinking
> How does user authentication work in a serverless Next.js app?
Good question! Let's answer this by building a simple app that allows users to login/logout and visualize their profile data as a result π.
## Content
1. What is the authentication flow?
2. Finished app demo
3. Building our app!
* Initialize the project
* Auth0 setup
* Auth API route
* Auth Provider `_app.js`
* Home page
* `useUser()` hook
* Nav component
* AuthLink component
* Profile page
* Custom auth helpers
4. Conclusion
## What is the authentication flow?
Before we start writing any code I think it's important to understand what exactly we are trying to do and how authentication will work.
This article below will give you a fantastic overview of the approaches you can take to implement Auth0 authentication in a Next.js app.
[Auth0 - The Ultimate Guide to Next.js Authentication with Auth0](https://auth0.com/blog/ultimate-guide-nextjs-authentication-auth0/)
We are going to take the approach of a serverless application where we instead opt to use functions in our Next.js app that provide us with functionality like authentication when it's needed. We can use our serverless functions on a need-to-use basis as opposed to having a server that is constantly running.
Our application login flow will look something like this π
![Our login flow demonstrated in a flowchart](https://cdn.hashnode.com/res/hashnode/image/upload/v1622010873910/C7ESZrI6K.png align="left")
When the unauthenticated user clicks the login button they are redirected to the login form provided by Auth0. Then the user proceeds to login and when successful, is redirected back to our app at a destination of our choosing.
It is important to note that I will not be implementing any kind of persistent storage for users in this tutorial. We have no need for a database in a simple app like this and the authentication works nonetheless. Let me know if you want to see an article on integrating a database into the app π.
## Finished app demo
I thought it would be a good idea to include a quick demo of the finished app before we start so you can visualize what we are going to be building.
%[https://player.vimeo.com/video/557139230?width=1000&height=500]
The basic features of the app include:
* Home page that instructs the unauthenticated user to login
* Protected profile page populated with some of the authenticated user's data
* Profile page is a dynamic route `/profile/username`
* If an unauthenticated user visits profile page, they will be redirected to login page
* Offer logout option for authenticated users
If you want to check out the full repo for this project you can do so here π
[kieran6roberts/Blog-Next-Auth0](https://github.com/kieran6roberts/Blog-Next-Auth0)
## Building our app!
To handle our app's authentication we are going to use a package called `@auth0/nextjs-auth0`. This package was built to facilitate user authentication with Auth0 in a Next.js app. To use it you must satisfy the following conditions.
* Node.js version ^10.13.0 || >=12.0.0
* Next.js version >=10
### Initialize the project
We'll start this project from scratch so you can see exactly what it takes from start to finish. Start by initializing a Next.js app.
```markdown
npx create-next-app next-auth0
```
Now install the necessary packages for our app
```markdown
yarn add @auth0/nextjs-auth0 @emotion/react
```
* `@auth0/nextjs-auth0` - SDK for handling authentication in our app
* `@emotion/react` - Emotion CSS in JS react package for styling
I'll be using Emotion for styling in this app but you can use whatever you want, it's not important, is easily substituted, and there won't be much styling anyway.
### Auth0 setup
Before continuing with the code, we first need to set up a new application with Auth0 on their site. You can do so here [Sign Up - Auth0](https://auth0.com/signup?place=header&type=button&text=sign%20up) or simply login if you already have an account.
Then we are going to set up a new application in the Auth0 dashboard. Once you've logged in, navigate to the 'Applications' tab.
Click the 'Create Application' button and give the app a name. Here I name mine 'my-next-auth0'. Then select the 'Regular Web Application' option.
![Creating our app in the auth0 dashboard](https://cdn.hashnode.com/res/hashnode/image/upload/v1621680905988/woAAnE0mu.png align="left")
When prompted select 'Next.js' as the technology for the application. Auth0 recently had an update to their site and now offer some very helpful documentation on how to get started with Next.js and Auth0 authentication. This information is available in the 'Quick Start' tab of your application if you ever need any help.
![Auth0 application quick start tab with helpful guides](https://cdn.hashnode.com/res/hashnode/image/upload/v1621681300190/CtE9wLjP7.png align="left")
The next step is to configure some settings in our Auth0 application. Click on the 'Settings' tab and here we need to set two options.
1. Allowed Callback URLs - `http://localhost:3000/api/auth/callback`
2. Allowed Logout URLs - `http://localhost:3000/`
![Setting our auth0 application allowed callback URL and logout URL](https://cdn.hashnode.com/res/hashnode/image/upload/v1621857027732/JuXfBMlJw.png align="left")
You might choose to configure more settings depending on your app but this is enough for us. If you end up deploying the app then you would also want to come back in here and add your new URLs.
When we as a user have entered our login details successfully, Auth0 will need a destination to send the user. This is why we specify our API callback route so that our auth package can handle the redirect.
When the user hits the logout button, we also specify the url's that are valid for auth0 to redirect to for the logout case. Here it is `http://localhost:3000/`.
The package `@auth0/nextjs-auth0` also requires the following settings within the Auth0 app dashboard so make sure to check they are correct.
1. Json Web Token Signature Algorithm - RS256
2. OIDC Conformant - True
You can find those settings in your applications 'Advanced Settings - OAuth'.
![auth0 app dahsboard advanced settings](https://cdn.hashnode.com/res/hashnode/image/upload/v1621857158135/eukDwM4aY.png align="left")
Now that we have our settings in place we are going to need some constants in our Next.js app which we will store in environment variables. Create a `.env.local` file at the root of your app:
```markdown
// at the project root
touch .env.local
```
and add the following but replace the examples with your settings π
```markdown
AUTH0_BASE_URL={{Base URL of your site, probably http://localhost:3000 in development}}
AUTH0_ISSUER_BASE_URL={{https://your auth app domain found in dashboard}}
AUTH0_SECRET={{Some secret used to encrypt the session cookie}}
AUTH0_DOMAIN={{https://your auth app domain found in dashboard}}
AUTH0_CLIENT_ID={{Auth0 app client id found in dashboard}}
AUTH0_CLIENT_SECRET={{Auth0 app client secret in dashboard}}
AUTH0_SCOPE={{The scopes we want to give to our authorized users, here I will use 'openid profile'}}
```
Our auth package will pull the following information from your`.env.local` file so make sure you don't miss these out and that you also name them like this π.
It's up to you to locate the missing information from your dashboard and add it to the `.env.local` file and I've added a description for each variable to help you along. These settings should be secret to your app so don't go sharing them with anyone π.
For the `AUTH0_SECRET` variable you can generate a secure secret from the command line using:
```markdown
openssl rand -hex 32
```
### Auth API route
Now our application is created and our variables are setup we can start working on the authentication flow in our Next.js app.
To do this we are going to make use of Next.js API routes. If you need a quick introduction to these routes, check out my article here [Getting started with Next.js API routes](https://blog.kieranroberts.dev/getting-started-with-nextjs-api-routes).
We will need one API route to handle user authentication. Create the file `pages/api/auth/[...auth0].js`.
```markdown
// project root
touch pages/api/auth/[...auth0].js
```
Using this dynamic route will match all paths prefaced by `/api/auth/` meaning it will run whenever we hit one of our auth routes. The `handleAuth()` function which you are about to see will create the following routes for us seemingly by magic πͺ.
* `/api/auth/login`
* `/api/auth/callback`
* `/api/auth/logout`
* `/api/auth/me`
```markdown
import { handleAuth } from '@auth0/nextjs-auth0';
export default handleAuth();
```
We will explore how we can add some custom functionality to this later but for now that's all you need.
### Auth Provider`_app.js`
We can access the user on the client or on the server. To access the user on the client we must wrap our app in the `UserProvider` component provided by `@auth0/nextjs-auth0`.
In our app we are going to be accessing the user on the server. Despite this, I will add the provider to the app in case something changes and we need access to the user on the client.
Inside the `_app.js` page you should wrap the returned content with the provider.
```markdown
// _app.js
import { Global, css } from '@emotion/react';
import { UserProvider } from '@auth0/nextjs-auth0';
function MyApp({ Component, pageProps }) {
return (