OpenSkillIndex← back to search
claude-code

Awesome-omni-skill auth0-express

Use when adding authentication to Express.js server-rendered web applications with session management - integrates express-openid-connect for traditional web apps

install
source · Clone the upstream repo
git clone https://github.com/diegosouzapw/awesome-omni-skill
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/diegosouzapw/awesome-omni-skill "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/development/auth0-express-auth0" ~/.claude/skills/diegosouzapw-awesome-omni-skill-auth0-express-146a49 && rm -rf "$T"
manifest: skills/development/auth0-express-auth0/SKILL.md
source content

Auth0 Express Integration

Add authentication to Express.js web applications using express-openid-connect.

Prerequisites

  • Express.js application
  • Auth0 account and application configured
  • If you don't have Auth0 set up yet, use the 
    auth0-quickstart
    skill first

When NOT to Use

  • Single Page Applications - Use 
    auth0-react
    , 
    auth0-vue
    , or 
    auth0-angular
    for client-side auth
  • Next.js applications - Use 
    auth0-nextjs
    skill which handles both client and server
  • Mobile applications - Use 
    auth0-react-native
    for React Native/Expo
  • Stateless APIs - Use JWT validation middleware instead of session-based auth
  • Microservices - Use JWT validation for service-to-service auth

Quick Start Workflow

1. Install SDK

npm install express-openid-connect dotenv

2. Configure Environment

For automated setup with Auth0 CLI, see Setup Guide for complete scripts.

For manual setup:

Create 

.env
:

SECRET=<openssl-rand-hex-32>
BASE_URL=http://localhost:3000
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
ISSUER_BASE_URL=https://your-tenant.auth0.com

Generate secret: 

openssl rand -hex 32

3. Configure Auth Middleware

Update your Express app (

app.js
or 
index.js
):

require('dotenv').config();
const express = require('express');
const { auth, requiresAuth } = require('express-openid-connect');

const app = express();

// Configure Auth0 middleware
app.use(auth({
  authRequired: false,  // Don't require auth for all routes
  auth0Logout: true,    // Enable logout endpoint
  secret: process.env.SECRET,
  baseURL: process.env.BASE_URL,
  clientID: process.env.CLIENT_ID,
  issuerBaseURL: process.env.ISSUER_BASE_URL,
  clientSecret: process.env.CLIENT_SECRET
}));

app.listen(3000, () => {
  console.log('Server running on http://localhost:3000');
});

This automatically creates:

  • /login
    - Login endpoint
  • /logout
    - Logout endpoint
  • /callback
    - OAuth callback

4. Add Routes

// Public route
app.get('/', (req, res) => {
  res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out');
});

// Protected route
app.get('/profile', requiresAuth(), (req, res) => {
  res.send(`
    <h1>Profile</h1>
    <p>Name: ${req.oidc.user.name}</p>
    <p>Email: ${req.oidc.user.email}</p>
    <pre>${JSON.stringify(req.oidc.user, null, 2)}</pre>
    <a href="/logout">Logout</a>
  `);
});

// Login/logout links
app.get('/', (req, res) => {
  res.send(`
    ${req.oidc.isAuthenticated() ? `
      <p>Welcome, ${req.oidc.user.name}!</p>
      <a href="/profile">Profile</a>
      <a href="/logout">Logout</a>
    ` : `
      <a href="/login">Login</a>
    `}
  `);
});

5. Test Authentication

Start your server:

node app.js

Visit 

http://localhost:3000
and test the login flow.

Detailed Documentation

  • Setup Guide - Automated setup scripts, environment configuration, Auth0 CLI usage
  • Integration Guide - Protected routes, sessions, API integration, error handling
  • API Reference - Complete middleware API, configuration options, request properties

Common Mistakes

MistakeFix
Forgot to add callback URL in Auth0 DashboardAdd 
/callback
path to Allowed Callback URLs (e.g., 
http://localhost:3000/callback
)
Missing or weak SECRETGenerate secure secret with 
openssl rand -hex 32
and store in .env as 
SECRET
Setting authRequired: true globallySet to false and use 
requiresAuth()
middleware on specific routes
App created as SPA type in Auth0Must be Regular Web Application type for server-side auth
Session secret exposed in codeAlways use environment variables, never hardcode secrets
Wrong baseURL for productionUpdate BASE_URL to match your production domain
Not handling logout returnToAdd your domain to Allowed Logout URLs in Auth0 Dashboard

Related Skills

  • auth0-quickstart
    - Basic Auth0 setup
  • auth0-migration
    - Migrate from another auth provider
  • auth0-mfa
    - Add Multi-Factor Authentication

Quick Reference

Middleware Options:

  • authRequired
    - Require auth for all routes (default: false)
  • auth0Logout
    - Enable /logout endpoint (default: false)
  • secret
    - Session secret (required)
  • baseURL
    - Application URL (required)
  • clientID
    - Auth0 client ID (required)
  • issuerBaseURL
    - Auth0 tenant URL (required)

Request Properties:

  • req.oidc.isAuthenticated()
    - Check if user is logged in
  • req.oidc.user
    - User profile object
  • req.oidc.accessToken
    - Access token for API calls
  • req.oidc.idToken
    - ID token
  • req.oidc.refreshToken
    - Refresh token

Common Use Cases:

  • Protected routes → Use 
    requiresAuth()
    middleware (see Step 4)
  • Check auth status → 
    req.oidc.isAuthenticated()
  • Get user info → 
    req.oidc.user
  • Call APIs → Integration Guide

References