nextjs-auth0 VS auth0-spa-js

How you want to typically manage Auth0 is by using one of their libraries, at least that's how I do so: i.e. with nextjs https://github.com/auth0/nextjs-auth0

The only option I found is this one https://github.com/auth0/nextjs-auth0 so, just wanted to know anyone else faced this and how they solved it.

For Nextjs, it’s different since the package used is @auth0/nextjs-auth0

Auth0’s Next.js SDK to handle the user authentication.

@auth0/nextjs-auth0 is a library for implementing user authentication in Next.js applications.

Check out documentation for more details @auth0/nextjs-auth0.

Hi, I am trying to implement an authentication flow using auth0 with the auth0/nextjs-auth0 library, everything works fine until test the application inside an IFrame.

As a part of this hackathon, I am using the popular authentication provider, Auth0 for user authentication on my application. Auth0 is great to get started (especially with their quickstarts) and has a quite generous free tier. The NextJS SDK provides all the basic features along with some advanced ones too and is quite easy to implement and use. There is a Universal Login Page which means one can get started quickly without the need of developing components for that (though you have the option to).

As we're using NextJS, we need to select regular web applications. After creating the application, we should redirect to its settings page. Scroll down and edit the application URL as shown below, then save your changes. You can check auth0 next.js documentation here.

Your message feels disingenuous and not in good-faith.

Auth0 clearly advises against the localStorage option which is most similar to Stytch's:

> _Important:_ This feature will allow the caching of data _such as ID and access tokens_ to be stored in local storage. Exercising this option changes the security characteristics of your application and _should not be used lightly._ Extra care should be taken to mitigate against XSS attacks and minimize the risk of tokens being stolen from local storage.

This is from the readme of the github you linked:

https://github.com/auth0/auth0-spa-js/tree/0de9c6bf61d37fc21...

And since their other client-only solutions have major UX challenges (as you highlight), I expect most Auth0 users have landed on the secure option.

This is very different from Stytch - which as far as I can tell - doesn't disclose or acknowledge the risk, and instead willingly puts developers at increased risk. Throughout this thread, you've been dismissive of the risk despite security organizations clearly indicating that HttpOnly is best-practice.

You've found a legitimate comparison in Firebase, but for me, you've taken several steps too far trying to compare to Auth0.

Auth0 provides the auth0-spa-js package which offers two ways to authenticate users:

Therefore, I have transformed the library [@auth0/auth0-spa-js](https://github.com/auth0/auth0-spa-js), which is another official Auth0 client library, to have an authentication hook and methods that can be accessible outside the components.

auth0-spa-js must run on a secure origin. See https://github.com/auth0/auth0-spa-js/blob/master/FAQ.md#why-do-i-get-auth0-spa-js-must-run-on-a-secure-origin for more information. 32 | it("renders a login button", () => { 33 | > 34 | const { getByText } = render( | ^ 35 | 36 | 37 |