ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Auth0 Express

v1.0.0

Use when adding authentication (login, logout, protected routes) to Express.js web applications - integrates express-openid-connect for session-based auth.

0· 94· 1 versions· 0 current· 0 all-time· Updated 10h ago· MIT-0
by@auth0

Security Scans

VirusTotalBenignClawScanBenignStatic analysisSuspicious

Install

openclaw skills install auth0-express

Auth0 Express Integration

Add authentication to Express.js web applications using express-openid-connect.

Prerequisites

  • Express.js application
  • Auth0 account and application configured
  • If you don't have Auth0 set up yet, use the auth0-quickstart skill first

When NOT to Use

  • Single Page Applications - Use auth0-react, auth0-vue, or auth0-angular for client-side auth
  • Next.js applications - Use auth0-nextjs skill which handles both client and server
  • Mobile applications - Use auth0-react-native for React Native/Expo
  • Stateless APIs - Use JWT validation middleware instead of session-based auth
  • Microservices - Use JWT validation for service-to-service auth

Quick Start Workflow

1. Install SDK

npm install express-openid-connect dotenv

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create .env:

SECRET=<openssl-rand-hex-32>
BASE_URL=http://localhost:3000
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
ISSUER_BASE_URL=https://your-tenant.auth0.com

Generate secret: openssl rand -hex 32

3. Configure Auth Middleware

Update your Express app (app.js or index.js):

require('dotenv').config();
const express = require('express');
const { auth, requiresAuth } = require('express-openid-connect');

const app = express();

// Configure Auth0 middleware
app.use(auth({
  authRequired: false,  // Don't require auth for all routes
  auth0Logout: true,    // Enable logout endpoint
  secret: process.env.SECRET,
  baseURL: process.env.BASE_URL,
  clientID: process.env.CLIENT_ID,
  issuerBaseURL: process.env.ISSUER_BASE_URL,
  clientSecret: process.env.CLIENT_SECRET
}));

app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

This automatically creates:

  • /login - Login endpoint
  • /logout - Logout endpoint
  • /callback - OAuth callback

4. Add Routes

// Public route
app.get('/', (req, res) => {
  res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out');
});

// Protected route
app.get('/profile', requiresAuth(), (req, res) => {
  res.send(`
    <h1>Profile</h1>
    <p>Name: ${req.oidc.user.name}</p>
    <p>Email: ${req.oidc.user.email}</p>
    <pre>${JSON.stringify(req.oidc.user, null, 2)}</pre>
    <a href="/logout">Logout</a>
  `);
});

// Login/logout links
app.get('/', (req, res) => {
  res.send(`
    ${req.oidc.isAuthenticated() ? `
      <p>Welcome, ${req.oidc.user.name}!</p>
      <a href="/profile">Profile</a>
      <a href="/logout">Logout</a>
    ` : `
      <a href="/login">Login</a>
    `}
  `);
});

5. Test Authentication

Start your server:

node app.js

Visit http://localhost:3000 and test the login flow.

Detailed Documentation

  • Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
  • Integration Guide - Protected routes, sessions, API integration, error handling
  • API Reference - Complete middleware API, configuration options, request properties

Common Mistakes

MistakeFix
Forgot to add callback URL in Auth0 DashboardAdd /callback path to Allowed Callback URLs (e.g., http://localhost:3000/callback)
Missing or weak SECRETGenerate secure secret with openssl rand -hex 32 and store in .env as SECRET
Setting authRequired: true globallySet to false and use requiresAuth() middleware on specific routes
App created as SPA type in Auth0Must be Regular Web Application type for server-side auth
Session secret exposed in codeAlways use environment variables, never hardcode secrets
Wrong baseURL for productionUpdate BASE_URL to match your production domain
Not handling logout returnToAdd your domain to Allowed Logout URLs in Auth0 Dashboard

Related Skills

  • auth0-quickstart - Basic Auth0 setup
  • auth0-migration - Migrate from another auth provider
  • auth0-mfa - Add Multi-Factor Authentication

Quick Reference

Middleware Options:

  • authRequired - Require auth for all routes (default: false)
  • auth0Logout - Enable /logout endpoint (default: false)
  • secret - Session secret (required)
  • baseURL - Application URL (required)
  • clientID - Auth0 client ID (required)
  • issuerBaseURL - Auth0 tenant URL (required)

Request Properties:

  • req.oidc.isAuthenticated() - Check if user is logged in
  • req.oidc.user - User profile object
  • req.oidc.accessToken - Access token for API calls
  • req.oidc.idToken - ID token
  • req.oidc.refreshToken - Refresh token

Common Use Cases:

  • Protected routes → Use requiresAuth() middleware (see Step 4)
  • Check auth status → req.oidc.isAuthenticated()
  • Get user info → req.oidc.user
  • Call APIs → Integration Guide

References

Version tags

latestvk970ttvneh145062kvm30n8zbh84wcxg

Runtime requirements

🔐 Clawdis