To follow along with this guide, add the following dependencies to your Gemfile:

To prevent forged authentication requests, we need to also include CSRF protection. If you're using OmniAuth with Rails, include:

Once your gems are added, install with the following command:

Create a file named auth0.rb under config/initializers and configure the OmniAuth middleware in it.

Use the following command to create the controller that will handle the Auth0 callback:

In the newly created controller, add success and failure callback handlers.

Replace the generated routes with the following:

We need a way for users to trigger authentication. Add a link to /auth/auth0 anywhere in an existing template or use the steps below to generate a homepage in a new app.

Run the following command to generate the homepage controller and views:

Add the following to the generated show.html.erb file:

Finally, point the root path to generated controller:

Run bin/rails server and go to localhost:3000 in your browser. You should see the Auth0 logo and a link to log in.

You can use a controller concern to control access to routes that require the user to be authenticated:

Now generate a controller for the dashboard view that users will see once they are authenticated:

Include the concern in the this new controller to prevent unauthenticated users from accessing its routes:

Add the session data for userinfo to the dashboard view to see what is returned:

Finally, adjust your routes to point /dashboard to this new, secured controller:

With the Rails server still running, go to localhost:3000/dashboard in your browser and you should be redirected to the homepage.

Click the Login link and log in or sign up. Accept the consent modal that appears (for localhost only) and you should end up on at /dashboard with your user info showing.

Configure the application to display errors by adding the following to the production environment config:

The redirect_uri parameter that OmniAuth generates when redirecting to login is based on the Host header that is passed to Rails. This can cause incorrect callback URLs to be passed when using this strategy (and OmniAuth in general) with a reverse proxy. You can adjust the host used by OmniAuth with the following snippet:

See this StackOverflow thread for more information.

This error means that a cookie session is being used and because the whole profile is being stored, it overflows the max-size of 4 kb. If you are unable to access the user profile and you get an error similar to NoMethodError, undefined method '[]' for nil:NilClass, try using In-Memory store for development.

Go to /config/initializers/session_store.rb and add the following:

Go to /config/environments/development.rb and add the following:

It is recommended that a memory store such as MemCached being used for production applications.

Under some configurations, Ruby may not be able to find certification authority certificates (CA certs).

Download the CA certs bundle to the project directory:

Add this initializer to config/initializers/fix_ssl.rb:

This issue doesn't occur when working locally but may happen in a staging or production environment. The error message may be displayed as:

To solve this, add the following to config/environments/staging.rb or production.rb:

Substitute http://www.example.com with the actual URL you'll be using in your application.