> ## Documentation Index
> Fetch the complete documentation index at: https://cubed3-feat-druid-driver-streaming.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate requests to Cube with Auth0

> Step-by-step Auth0 application and API setup, rules for enriching JWTs with claims, and Cube configuration for Auth0-issued tokens.

## Introduction

In this guide, you'll learn how to integrate Auth0 authentication with a Cube
deployment. If you already have a pre-existing application on Auth0 that you'd
like to re-use, please skip ahead to [Configure Cube][ref-config-auth0].

We'll be creating an Auth0 [application][link-auth0-docs-app] and
[API][link-auth0-docs-api], configuring a [rule on Auth0][link-auth0-docs-rules]
to add custom claims to vended JWTs, and finally configuring Cube to use Auth0.

## Create an application

First, go to the [Auth0 dashboard][link-auth0-app], and click on the
Applications menu option on the left and then click the Create Application
button.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/628fe537-c596-4596-a0d8-d2b5cddd8315/" style={{ border: "none" }} width="80%" />
</div>

In the popup, set the name of your application and select Single Page Web
Applications.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/699e7614-238e-41c8-b267-c07db21d964c/" style={{ border: "none" }} width="80%" />
</div>

Next, go to the application's settings and add the appropriate callback URLs for
your application (`http://localhost:4000` for the Developer Playground).

### Custom claims

You can also configure custom claims for your JWT token. Auth0 has two SDKs
available; [Auth0.js][link-auth0-js] and the [Auth0 SPA
SDK][link-auth0-spa-sdk]. We recommend using the SPA SDK wherever possible, [as
per Auth0's own developer advice][gh-auth0-spa-sdk-issue34]. If you're using
`@auth0/auth0-angular` or `@auth0/auth0-react`, then the SPA SDK is
automatically included.

Open the Auth0 dashboard, click on 'Rules' and add a rule to add any custom
claims to the JWT.

#### Auth0 SPA SDK

<Info>
  Take note of the value of `namespace` here, you will need it later to [configure
  Cube][ref-config-auth0].
</Info>

```javascript theme={null}
function (user, context, callback) {
  const namespace = "http://localhost:4000/"
  context.accessToken[namespace] =
  {
    'company_id': 'company1',
    'user_id': user.user_id,
    'roles': ['user']
  }
  callback(null, user, context)
}
```

## Create an API

If you're using the Auth0 SPA SDK, you'll also need to [create an
API][link-auth0-api]. First, go to the [Auth0 dashboard][link-auth0-app] and
click on the APIs menu option from the left sidebar, then click the Create API
button.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/6727f749-4def-464b-a7bb-2c086d37c051/" style={{ border: "none" }} width="80%" />
</div>

In the 'New API' popup, set a name for this API and an identifier (e.g.
`cube-app`), then click the Create button.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/95d883b6-35b6-47e9-9b9a-ea99a898ef01/" style={{ border: "none" }} width="80%" />
</div>

<Info>
  Take note of the Identifier here, as it is used to [set the JWT Audience option
  in Cube][ref-config-auth0].
</Info>

In your application code, configure your API identifier as the audience when
initializing Auth0. If you're using the `@auth0/auth-react` package for your
application front-end, this might look something like this:

```tsx theme={null}
<Auth0Provider
  domain={process.env.AUTH_DOMAIN}
  client_id={process.env.AUTH_CLIENT_ID}
  redirect_uri={window.location.origin}
  onRedirectCallback={() => {}}
  audience="cube"
>
```

Refer to Auth0's documentation for instructions on configuring
[Angular][link-auth0-angular] or [Vue][link-auth0-vue] applications.

## Configure Cube

Now we're ready to configure Cube to use Auth0. Go to your Cube project and open
the `.env` file and add the following, replacing the values wrapped in `<>`.

```dotenv theme={null}
CUBEJS_JWK_URL=https://<AUTH0-SUBDOMAIN>.auth0.com/.well-known/jwks.json
CUBEJS_JWT_AUDIENCE=<APPLICATION_URL>
CUBEJS_JWT_ISSUER=https://<AUTH0-SUBDOMAIN>.auth0.com/
CUBEJS_JWT_ALGS=RS256
CUBEJS_JWT_CLAIMS_NAMESPACE=<CLAIMS_NAMESPACE>
```

## Testing with the Developer Playground

### Retrieving a JWT

Go to the [OpenID Playground from Auth0][link-openid-playground] to and click
Configuration.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/a40aaeba-1a16-426c-b8a0-8e2be23572e2/" style={{ border: "none" }} width="80%" />
</div>

Enter the following values:

* **Auth0 domain**: `<AUTH0-SUBDOMAIN>.auth0.com`
* **OIDC Client ID**: Retrieve from Auth0 Application settings page
* **OIDC Client Secret**: Retrieve from Auth0 Application settings page
* **Audience**: Retrieve from Auth0 API settings

Click 'Use Auth0 Discovery Document' to auto-fill the remaining values, then
click Save.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/e2c10228-27c9-4ca9-ac2b-9ebd1ae11f06/" style={{ border: "none" }} width="80%" />
</div>

<Warning>
  If you haven't already, go back to the Auth0 application's settings and add
  `https://openidconnect.net/callback` to the list of allowed callback URLs.
</Warning>

Now click Start; if the login is successful, you should see the code, as well as
a button called 'Exchange'. Click on it to exchange the code for your tokens:

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/01719292-3186-40d5-8ffa-adc1a8087163/" style={{ border: "none" }} width="80%" />
</div>

Copy the `access_token` from the response, and use the [JWT.IO
Debugger][link-jwt-io-debug] to decode the token and verify any custom claims
were successfully added.

### Set JWT in Developer Playground

Now open the Developer Playground (at `http://localhost:4000`) and on the Build
page, click Add Security Context.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/f63817d8-9729-4b7f-a36c-02518de422e9/" style={{ border: "none" }} width="80%" />
</div>

Click the Token tab, paste the JWT from OpenID Playground and click the Save
button.

<div style={{ textAlign: "center" }}>
  <img src="https://ucarecdn.com/892b39e7-4d57-4dba-957a-dad8ec34fe68/" style={{ border: "none" }} width="80%" />
</div>

Close the popup and use the Developer Playground to make a request. Any data
models using the [Security Context][ref-sec-ctx] should now work as expected.

## Example

To help you get up and running, we have [an example project which is configured
to use Auth0][gh-cube-auth0-example]. You can use it as a starting point for
your own Cube application.

[link-auth0-angular]: https://auth0.com/docs/quickstart/spa/angular/01-login

[link-auth0-vue]: https://auth0.com/docs/quickstart/spa/vuejs/01-login

[link-auth0-docs-app]: https://auth0.com/docs/applications

[link-auth0-docs-api]: https://auth0.com/docs/get-started/set-up-apis

[link-auth0-docs-rules]: https://auth0.com/docs/rules

[gh-auth0-spa-sdk-issue34]: https://github.com/auth0/auth0-spa-js/issues/34#issuecomment-505420895

[link-auth0-app]: https://manage.auth0.com/

[link-auth0-js]: https://auth0.com/docs/libraries/auth0js

[link-auth0-spa-sdk]: https://auth0.com/docs/libraries/auth0-spa-js

[link-auth0-api]: https://auth0.com/docs/tokens/access-tokens#json-web-token-access-tokens

[link-jwt-io-debug]: https://jwt.io/#debugger-io

[link-openid-playground]: https://openidconnect.net/

[ref-config-auth0]: #configure-cube

[ref-sec-ctx]: /docs/data-modeling/access-control/context

[gh-cube-auth0-example]: https://github.com/cube-js/examples/tree/master/auth0