Auth0身份验证实施指南：安全最佳实践、PKCE流程与令牌管理

auth0-authentication by mindrally/skills

107 周安装量

43 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/mindrally/skills --skill auth0-authentication

云服务 API 安全

🇨🇳中文介绍

Auth0 身份验证

您是 Auth0 身份验证实施方面的专家。在任何项目中使用 Auth0 时，请遵循以下指南。

核心原则

所有 Auth0 通信和回调始终使用 HTTPS
将敏感配置（客户端密钥、API 密钥）存储在环境变量中，切勿存储在代码中
为所有身份验证流程实施适当的错误处理
遵循最小权限原则来分配作用域和权限

环境变量

# Required Auth0 Configuration
AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret
AUTH0_AUDIENCE=your-api-audience
AUTH0_CALLBACK_URL=https://your-app.com/callback
AUTH0_LOGOUT_URL=https://your-app.com

身份验证流程

带有 PKCE 的授权码流程（推荐用于 SPA 和原生应用）

对于公共客户端，始终使用 PKCE：

import { Auth0Client } from '@auth0/auth0-spa-js';

const auth0 = new Auth0Client({
  domain: process.env.AUTH0_DOMAIN,
  clientId: process.env.AUTH0_CLIENT_ID,
  authorizationParams: {
    redirect_uri: window.location.origin,
    audience: process.env.AUTH0_AUDIENCE,
  },
  cacheLocation: 'localstorage', // 使用 'memory' 以获得更高的安全性
  useRefreshTokens: true,
});

授权码流程（服务器端应用）

// Express.js 示例
const { auth } = require('express-openid-connect');

app.use(
  auth({
    authRequired: false,
    auth0Logout: true,
    secret: process.env.AUTH0_SECRET,
    baseURL: process.env.BASE_URL,
    clientID: process.env.AUTH0_CLIENT_ID,
    issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}`,
  })
);

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Auth0 Actions 最佳实践

Actions 已取代 Rules。请遵循以下指南：

exports.onExecutePostLogin = async (event, api) => {
  // 1. 为提高效率，尽早返回
  if (!event.user.email_verified) {
    api.access.deny('Please verify your email before logging in.');
    return;
  }

  // 2. 对敏感数据使用 secrets（在 Auth0 仪表板中配置）
  const apiKey = event.secrets.EXTERNAL_API_KEY;

  // 3. 尽量减少外部调用 - 它们会影响登录延迟
  // 4. 切勿记录敏感信息
  console.log(`User logged in: ${event.user.user_id}`);

  // 5. 谨慎添加自定义声明
  api.idToken.setCustomClaim('https://myapp.com/roles', event.authorization?.roles || []);
  api.accessToken.setCustomClaim('https://myapp.com/roles', event.authorization?.roles || []);
};

将密钥存储在 Action Secrets 中，切勿硬编码
限制发送到外部服务的数据 - 切勿发送整个事件对象
为外部 API 调用设置较短的超时时间（默认限制为 20 秒）
实施适当的错误处理，以避免身份验证失败

访问令牌最佳实践

// 始终在服务器端验证令牌
const { auth, requiredScopes } = require('express-oauth2-jwt-bearer');

const checkJwt = auth({
  audience: process.env.AUTH0_AUDIENCE,
  issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}/`,
  tokenSigningAlg: 'RS256',
});

// 要求特定作用域
const checkScopes = requiredScopes('read:messages');

app.get('/api/private-scoped', checkJwt, checkScopes, (req, res) => {
  res.json({ message: 'Protected resource' });
});

启用刷新令牌轮换
设置适当的令牌生命周期（访问令牌：最长 1 小时，刷新令牌：基于风险）
在客户端实现自动令牌刷新

// 状态参数由 Auth0 SDK 自动处理
// 对于自定义实现，始终验证状态参数
const state = generateSecureRandomString();
sessionStorage.setItem('auth0_state', state);

重定向 URI 安全

在 Auth0 仪表板中将所有重定向 URI 加入白名单
对重定向 URI 使用精确的字符串匹配
在生产环境中切勿使用通配符重定向 URI

// 实施会话超时
const sessionConfig = {
  absoluteDuration: 86400, // 24 小时
  inactivityDuration: 3600, // 1 小时不活动
};

多因素身份验证

// 对敏感操作强制执行 MFA
exports.onExecutePostLogin = async (event, api) => {
  // 检查 MFA 是否已完成
  if (!event.authentication?.methods?.find(m => m.name === 'mfa')) {
    // 触发 MFA 质询
    api.authentication.challengeWithAny([
      { type: 'otp' },
      { type: 'push-notification' },
    ]);
  }
};

try {
  await auth0.loginWithRedirect();
} catch (error) {
  if (error.error === 'access_denied') {
    // 用户拒绝访问或电子邮件未验证
    handleAccessDenied(error);
  } else if (error.error === 'login_required') {
    // 会话已过期
    handleSessionExpired();
  } else {
    // 通用错误处理
    console.error('Authentication error:', error.message);
    showUserFriendlyError();
  }
}

Auth0 提供了一个用于 AI 辅助开发的 MCP 服务器：

# 为 Cursor 初始化 Auth0 MCP 服务器
npx @auth0/auth0-mcp-server init --client cursor

这使您可以在 IDE 内进行自然语言的 Auth0 管理操作。

使用 Auth0 的测试用户进行开发
为身份验证流程实施集成测试
测试令牌过期和刷新场景
在暂存环境中验证 MFA 流程

应避免的常见反模式

在不考虑 XSS 风险的情况下将令牌存储在 localStorage 中
未在服务器端验证令牌
使用隐式流程（已弃用）
在前端代码中硬编码客户端密钥
未实施适当的注销（本地和 Auth0 会话）
在 API 调用中忽略令牌过期
在用户元数据中存储过多数据

2026 年 1 月 25 日

🇺🇸English

Auth0 Authentication

You are an expert in Auth0 authentication implementation. Follow these guidelines when working with Auth0 in any project.

Core Principles

Always use HTTPS for all Auth0 communications and callbacks
Store sensitive configuration (client secrets, API keys) in environment variables, never in code
Implement proper error handling for all authentication flows
Follow the principle of least privilege for scopes and permissions

Environment Variables

# Required Auth0 Configuration
AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret
AUTH0_AUDIENCE=your-api-audience
AUTH0_CALLBACK_URL=https://your-app.com/callback
AUTH0_LOGOUT_URL=https://your-app.com

Authentication Flows

Authorization Code Flow with PKCE (Recommended for SPAs and Native Apps)

Always use PKCE for public clients:

import { Auth0Client } from '@auth0/auth0-spa-js';

const auth0 = new Auth0Client({
  domain: process.env.AUTH0_DOMAIN,
  clientId: process.env.AUTH0_CLIENT_ID,
  authorizationParams: {
    redirect_uri: window.location.origin,
    audience: process.env.AUTH0_AUDIENCE,
  },
  cacheLocation: 'localstorage', // Use 'memory' for higher security
  useRefreshTokens: true,
});

Authorization Code Flow (Server-Side Applications)

// Express.js example
const { auth } = require('express-openid-connect');

app.use(
  auth({
    authRequired: false,
    auth0Logout: true,
    secret: process.env.AUTH0_SECRET,
    baseURL: process.env.BASE_URL,
    clientID: process.env.AUTH0_CLIENT_ID,
    issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}`,
  })
);

Auth0 Actions Best Practices

Actions have replaced Rules. Follow these guidelines:

Action Structure

exports.onExecutePostLogin = async (event, api) => {
  // 1. Early returns for efficiency
  if (!event.user.email_verified) {
    api.access.deny('Please verify your email before logging in.');
    return;
  }

  // 2. Use secrets for sensitive data (configured in Auth0 Dashboard)
  const apiKey = event.secrets.EXTERNAL_API_KEY;

  // 3. Minimize external calls - they affect login latency
  // 4. Never log sensitive information
  console.log(`User logged in: ${event.user.user_id}`);

  // 5. Add custom claims sparingly
  api.idToken.setCustomClaim('https://myapp.com/roles', event.authorization?.roles || []);
  api.accessToken.setCustomClaim('https://myapp.com/roles', event.authorization?.roles || []);
};

Action Security Rules

Store secrets in Action Secrets, never hardcode them
Limit the data sent to external services - never send the entire event object
Use short timeouts for external API calls (default 20-second limit)
Implement proper error handling to avoid authentication failures

Token Management

Access Token Best Practices

// Always validate tokens server-side
const { auth, requiredScopes } = require('express-oauth2-jwt-bearer');

const checkJwt = auth({
  audience: process.env.AUTH0_AUDIENCE,
  issuerBaseURL: `https://${process.env.AUTH0_DOMAIN}/`,
  tokenSigningAlg: 'RS256',
});

// Require specific scopes
const checkScopes = requiredScopes('read:messages');

app.get('/api/private-scoped', checkJwt, checkScopes, (req, res) => {
  res.json({ message: 'Protected resource' });
});

Refresh Token Configuration

Enable refresh token rotation
Set appropriate token lifetimes (access tokens: 1 hour max, refresh tokens: based on risk)
Implement automatic token refresh in your client

Security Best Practices

CSRF Protection

// State parameter is automatically handled by Auth0 SDKs
// For custom implementations, always validate the state parameter
const state = generateSecureRandomString();
sessionStorage.setItem('auth0_state', state);

Redirect URI Security

Whitelist all redirect URIs in Auth0 Dashboard
Use exact string matching for redirect URIs
Never use wildcard redirect URIs in production

Session Management

// Implement session timeouts
const sessionConfig = {
  absoluteDuration: 86400, // 24 hours
  inactivityDuration: 3600, // 1 hour of inactivity
};

Multi-Factor Authentication

// Enforce MFA for sensitive operations
exports.onExecutePostLogin = async (event, api) => {
  // Check if MFA has been completed
  if (!event.authentication?.methods?.find(m => m.name === 'mfa')) {
    // Trigger MFA challenge
    api.authentication.challengeWithAny([
      { type: 'otp' },
      { type: 'push-notification' },
    ]);
  }
};

Error Handling

try {
  await auth0.loginWithRedirect();
} catch (error) {
  if (error.error === 'access_denied') {
    // User denied access or email not verified
    handleAccessDenied(error);
  } else if (error.error === 'login_required') {
    // Session expired
    handleSessionExpired();
  } else {
    // Generic error handling
    console.error('Authentication error:', error.message);
    showUserFriendlyError();
  }
}

MCP Integration

Auth0 provides an MCP server for AI-assisted development:

# Initialize Auth0 MCP server for Cursor
npx @auth0/auth0-mcp-server init --client cursor

This enables natural language Auth0 management operations within your IDE.

Testing

Use Auth0's test users for development
Implement integration tests for authentication flows
Test token expiration and refresh scenarios
Verify MFA flows in staging environments

Common Anti-Patterns to Avoid

Storing tokens in localStorage without considering XSS risks
Not validating tokens on the server side
Using the implicit flow (deprecated)
Hardcoding client secrets in frontend code
Not implementing proper logout (both local and Auth0 session)
Ignoring token expiration in API calls
Storing too much data in user metadata

Weekly Installs

107

Repository

mindrally/skills

GitHub Stars

First Seen

Jan 25, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

gemini-cli89

opencode89

codex85

cursor81

claude-code80

github-copilot80

Azure 升级评估与自动化工具 - 轻松迁移 Functions 计划、托管层级和 SKU

96,200 周安装