Auth

Auth0

Use Auth0 with your Supabase project

Auth0 can be used as a third-party authentication provider alongside Supabase Auth, or standalone, with your Supabase project.

Getting started

  1. First you need to add an integration to connect your Supabase project with your Auth0 tenant. You will need your tenant ID (and in some cases region ID).
  2. Add a new Third-party Auth integration in your project's Authentication settings.
  3. Assign the role: 'authenticated' custom claim to all JWTs by using an Auth0 Action.
  4. Finally setup the Supabase client in your application.

Setup the Supabase client library


_21
import { createClient } from '@supabase/supabase-js'
_21
import Auth0Client from '@auth0/auth0-spa-js'
_21
_21
const auth0 = new Auth0Client({
_21
domain: '<AUTH0_DOMAIN>',
_21
clientId: '<AUTH0_CLIENT_ID>',
_21
authorizationParams: {
_21
redirect_uri: '<MY_CALLBACK_URL>',
_21
},
_21
})
_21
_21
const supabase = createClient('https://<supabase-project>.supabase.co', 'SUPABASE_ANON_KEY', {
_21
accessToken: async () => {
_21
const accessToken = await auth0.getTokenSilently()
_21
_21
// Alternatively you can use (await auth0.getIdTokenClaims()).__raw to
_21
// use an ID token instead.
_21
_21
return accessToken
_21
},
_21
})

Add a new Third-Party Auth integration to your project

In the dashboard navigate to your project's Authentication settings and find the Third-Party Auth section to add a new integration.

In the CLI add the following config to your supabase/config.toml file:


_10
[auth.third_party.auth0]
_10
enabled = true
_10
tenant = "<id>"
_10
tenant_region = "<region>" # if your tenant has a region

Use an Auth0 Action to assign the authenticated role

Your Supabase project inspects the role claim present in all JWTs sent to it, to assign the correct Postgres role when using the Data API, Storage or Realtime authorization.

By default, Auth0 JWTs (both access token and ID token) do not contain a role claim in them. If you were to send such a JWT to your Supabase project, the anon role would be assigned when executing the Postgres query. Most of your app's logic will be accessible by the authenticated role.

A recommended approach to do this is to configure the onExecutePostLogin Auth0 Action which will add the custom claim:


_10
exports.onExecutePostLogin = async (event, api) => {
_10
api.accessToken.setCustomClaim('role', 'authenticated')
_10
}

Limitations

At this time, Auth0 tenants with the following signing algorithms are not supported:

  • HS256 (HMAC with SHA-256) -- also known as symmetric JWTs
  • PS256 (RSA-PSS with SHA-256)