Auth0
Last updated
Was this helpful?
Last updated
Was this helpful?
This guide explains how to configure Auth0 to obtain the necessary parameters for setting up oidc-spa
.
Navigate to Auth0 Dashboard.
In the left panel, go to Applications → Applications.
Click Create Application.
Select Single Page Application as the application type.
Navigate to the Settings tab to find the Domain and Client ID.
Scroll to the Application URIs section. Set two Allowed Callback URLs, ensure both URLs end with /
:
https://<APP_DOMAIN><BASE_URL>
http://localhost:<DEV_PORT><BASE_URL>
Parameters:
<APP_DOMAIN>: Examples: https://my-company.com or https://app.my-company.com. 🔹 For beter performances ensure <APP_DOMAIN> and <KC_DOMAIN> share the same root domain (my-company.com). See end of third party cookies.
<BASE_URL>: Examples: "/" or "/dashboard/".
<DEV_PORT>: Example: 5173 (default for Vite's dev server, adapt to your setup).
Allowed Logout URLs: Copy paste what you put into Allowed Callback URLs
Allowed Web Origins: The origins of the Callback URLs
Click Save Changes
If you need Auth0 to issue a JWT access token for your API, follow these steps:
Navigate to Auth0 Dashboard.
In the left panel, go to Applications → APIs.
Click Create API.
Configure the API:
Identifier: Ideally, use your API's root URL (e.g., https://myapp.my-company.com/api
). However, this is just an identifier, so any unique string works. It will be the aud claim of the access tokens issued. See the web API page for more info.
Click Save.
It is highly recommended to to ensure Auth0 is not treated as a third-party service by browsers.
By default, Auth0 does not issue a refresh token. If your access token expires and you haven't configured a custom domain, oidc-spa
will force reload your app to refresh the token, instead of doing it silently in the background.
Auth0 access tokens have a default validity of 24 hours, so if you don’t modify this setting, you won’t notice page reloads. However, if your app requires shorter expiration times for security reasons, a custom domain is necessary.
Navigate to the Auth0 Dashboard.
Click Settings in the left panel.
Open the Custom Domain tab.
Configure a custom domain (e.g., auth.my-company.com
).
See the end of third-party cookie page for more details.
Once configured, use your custom domain as the issuerUri
:
If you want users to be automatically logged out after a period of inactivity, follow these steps.
For security-critical applications like banking or admin dasboards users should:
Log in on every visit.
Be logged out after inactivity.
This prevents unauthorized access if a user steps away from their device.
For apps like social media or e-comerce shop on the other hand it's best not to enable auto logout.
Navigate to Auth0 Dashboard.
Click Settings in the left panel.
Open the Advanced tab.
Configure Session Expiration:
Idle Session Lifetime: 5 minutes
(300 seconds) – logs out inactive users.
Maximum Session Lifetime: 14 days
(20160 minutes) – ensures active users stay logged in.
Configure Access Token Lifetime:
Go to Applications → APIs.
Select your API (My App - API
or the name used earlier).
Open the Settings tab.
Under Access Token Settings:
Maximum Access Token Lifetime: 4 minutes
(240 seconds) – should be shorter than the Idle Session Lifetime.
Implicit/Hybrid Flow Access Token Lifetime: 4 minutes
– required to save settings, even if unused.
Click Save.
Since Auth0 does not issue refresh tokens (or issues non-JWT ones), inform oidc-spa
of your settings:
You can enhance user experience by displaying a countdown warning before logout:
To test your configuration: