docs: Clearify how this package is supposed to do authz/authn on the client side.

[ichtestemalwieder]

Description (Problem)

The library does not in any way state in the docs, how the package can be used for client side authorization or authentication, respectively that it is not suited for this use case.

As we all know, next is a framework also to be used for pure client-side js/navigation. The most voted next issue is about auth, and there is still not enough information about this topic, so people search for solutions (like this library).

As the cookie itself is only serverside: This means,

• No way to show conditional content based on roles/scopes
• No way to do authz on routes clientside
• No checks on the timeout of a token (when a client is only doing client side nav/actions based on cached data)
• In effect everyting regarding authz/authn needs to be delegated to the server, which imposes lots of overhead.

I am aware of that httpOnly Cookies are "more secure", but this kind of security is not required for all use-cases: A we all know there is the OICD implicit flow or Auth Code + PKCE, so it is a valide use-case to have client side tokens...

Please clarify these information in the docs very prominently, otherwise its a huge disappointement if one installs the package and then realizes that this package requires a complete different architecture for SPA (authz/authn is completely shifted to the server).

Furthermore it should be documented how then client side authz/authn should be implemented with examples. Thanks.

[erikdstock]

I've been looking at next.js this weekend and wondered the same thing, so I ported over my approach from gatsby-theme-auth0-ts. It appears to work here, but I'd like feedback from the team or anyone interested in kicking the tyres.

I used the auth0-js package instead of https://github.com/auth0/auth0-spa-js because again, I was reusing a previous approach.

Feedback appreciated as I don't want to go too far without getting this right!
https://github.com/erikdstock/nextjs-auth0-client-example

[sir-dunxalot]

Hi all. Any update on this? I use Auth0 because I'm not that familiar with the nuances of authentication and I'm worried my Next & Auth0 apps aren't correctly authenticated client-side.

Possible solutions include:

• Adding a warning to documentation, if applicable, saying "Note: You must implement your own client-side auth using Auth0's JS library"
• Pointing users to implement a second Auth0 library when ssr: false
• Linking to an officially-endorsed implementation example

I understand this library is experimental but IMO the docs should still be clear about what the library does and doesn't do.

Edit: for now I'm following sandrinodimattia/nextjs-auth0-example.

[Widcket]

Hi everyone, with the new v1.0.0-beta.0 release we have documented a way to use an access token from the frontend. However, keep in mind that it is less secure than proxying the requests through API routes, as the access token could be stolen via XSS.
Please read Comparison with auth0-react, as auth0-react might be a better fit for your projects if that's the primary way of fetching data in your applications.