[New plugin] 🔒 Auth0 integration

Can a Bubble app be turned into a OAuth Server (not client like normally) and issue access tokens to other systems using Auth0?

Hey there! This plugin is really awesome. Just one thing. Whenever I start a workflow for Auth0 login, the following popup appears. Is there a way in which this image doesn’t appear? Thanks!

1 Like

This behavior is quite new, it wasn’t behaving like this a few months ago. I guess a Bubble update created it… I will look more into it to see if we can prevent this window to display.

Hi @pipeabellos ,
First I want to apologize for such a long time to respond to your inquiry… I have been in discussion with Bubble support team in May and they were very reactive but I took me a while before finding some time to get back to it and properly test what they suggested.
I just published version 4.7.0 of the plugin that prevents this annoying message to display when logging in and logging out.
It may disable in certain circumstances (I guess it could happen after a successful login but I’m unsure) similar messages that could display when trying to leave the site.

Let me know if there are any issues with this update

1 Like

hey @vparpoil, I established a Facebook connection but I got the error

Notice that the native Facebook/Bubble log in/redirect works just fine…also the Google Auth0 works well, have you seen this issue before? thanks

@vparpoil I was able to fix it, basically I put the callback url into my FB/Google apps instead of the bubble callback.

is there a way to specify a dynamic RETURN URL for Auth0? I want to return to the LAST PAGE I was before I was redirected to the LOGIN page…
similar to what Stripe does with checkout then return url to the last page before leaving your website.

1 Like

Hi @natserrano,
I’m glad you figured it out !
Actually this is not possible : the return URL cannot be dynamic because the return URL needs to have a special behavior to handle user data and process it to log the user in.
To achieve this behavior, you need to store in database some kind of user-identifier (like a session ID stored in a cookie) and store the last page visited along. Then you add a navigation action right after login to redirect the user to the last page he was visiting by matching the cookie-like session ID to what you have in database. I would also add a lifetime to the entries in database so that they don’t last forever.
I hope that makes sense

it makes sense, but if the current user is not logged in…how can I save a “last_page_visited” to the current user?

user is not logged in, in page X (How to save last_page_visited=pageX, if current user is not logged in)
redirected to auth0
back to returnURL, redirected to page X

Or is there a way to specify a parameter in the callback url?

This is why you need a unique identifier for anonymous users, what I called session in my previous post. In bubble, I looked up and I think you can use the bubble cookies, but I’m unsure how to use them.
Another way is to generate a string and store it in local storage / cookie on first load of a page, then whenever the user navigates, you check if the string is present or not.
Then, you create a new datatype with two fields : session and lastUrl
at every page load you do an upsert* with session and the current url
After login, you check in this data the line where the session is the one of the user and you get the url he was accessing right before being redirected.

I still cannot make it work. the Upserting* has been deprecated.

I tried to use the bubble cookie, saved the destination_page to the anonymous user, but coming back from auth0 the newly created record doesn’t have the destination_page field/value anymore.

there must be a better way…

Hi @natserrano,
Sorry for not responding earlier. I am sorry you didn’t manage to do it. Thinking about this issue, I found a way to solve it and it just got released :slight_smile:

So I just released the following updates:

  • Before login, the current URL is saved and you can reuse it to redirect the user to it, so the user comes back to the last page visited.
    To enable this behavior, update the workflow watching for access_token being in URL to add a last action : “Auth0 - Redirect to last page before login”

    You can try this from the 404 page of the plugin demo page (logout in the home page first). Please note that the redirection will work only if it takes less than 5 min to the user to finish the connection process (I hope this is enough)

  • You can now use direct Sign In with Apple buttons and skip the Auth0 page so the user ends up directly in apple login page

  • If you use a Database (DB) in Auth0 and want to provide a Signup button, it is now possible by ticking the box Show signup page by default to enable direct redirection to the signup form (this will work only if the Provider field is empty). This will only work with the Auth0 Universal Login (not the classic login)

Thank you all for your feedbacks, don’t hesitate to contact me if you have any questions.
And if you like the plugin, I would be happy if you could add a review for it

OH this is amazing, thanks @vparpoil. I am pretty sure many more people will love this feature. thanks!

1 Like

Interesting setup!

One problem I foresee is that users who connect with a social account, but later add their own password, will have that password overridden next time they login via social.

This is because Step 2 of the workflow returns the user, and step 3 assigns a temp password to the user which overrides whatever they setup manually.

See what I mean here:

Hi @Minty,

This is clearly an issue but there shouldn’t be much of an impact, since you should use Auth0 for all your connexions, including login/password connexion => you should disable login/password connexion via bubble actions and setup DB connexion in Auth0 => this means Bubble never sees the user password so this case is not happening.

In my mind, main advantages of Auth0 when building an app are:

  • simplicity to connect any third party login
  • ability to enable SSO between apps in a business context using a single third party connexion

I see!

Am I able to use Auth0 to post to users social profiles?

For example, once they authenticate with Facebook with the correct permissions we can schedule posts to their Facebook Pages?

Because that would make Auth0 perfect me for then.

Yes, this should be possible, you can use the setup described in the bottom part of the demo app https://plugin-auth0-demo.bubbleapps.io/ (advanced use) to get the access_token for the user on Facebook and then you will be able to use this token to interact with the facebook API.

1 Like

I’ve been reading and playing around with Auth0 for a few days now. It looks robust, but also very complicated.

One thing I can’t wrap my head is Regular Web Application vs Single Page App setups, and how they effect the security of our Auth0/Bubble apps.

From reading the Auth0 docs and watching their videos it seems that Single Page Apps need special considerations when it come to security.

Are you able to shed any light on this?

A few questions that I can’t figure out…

  1. If I am making a Single Page app on Bubble, is it a “true” single page app? I keep hearing that Bubble is unique because it can be anything to anyone (a mobile web wrapper, a SPA, and anything else you want) so I was wondering if Bubbles way of creating the SPA was different to the standard definition, and therefore negating this whole problem.

  2. If the main part of my app is on a single page, but the login and sign page is on a different page (or even hosted by Auth0) is my app still classed as a Single Page app?

  3. How dangerous is it to choose “Regular Web Application” in Auth0 when my app is actually a Single Page App? Maybe I’m worrying about nothing at the end of the day.

The plugin is using an Hybrid Flow of authentification, with a direct request for an access_token and then a server side validation of the access_token and access to the identity of the user.

In my opinion, it doesn’t matter wether you choose SPA or regular web app, and it doesn’t impact security.
However, I think in Auth0 classification, bubble Apps are not SPA because there is a server and the ability to keep a secret safe on the server.

1 Like

@vparpoil In the Username field, will it return Twitter handle in the case of Twitter or the name of the profile? And do we also get the user-id field in case of Twitter?

Hi @sharma.himanshu0608 ,
Sorry for the late reply. For Twitter, you get the name displayed (not the Twitter handle) in the Username field. The handle is not present at this moment.
I guess you need to get the social access token for the user and call the twitter API to get it. I guess it’s doable but I haven’t found any clear explanation in the docs while looking for it for you.