In this screencast we'll learn how to register an application in Auth0, a simple process that can be completed in a matter of minutes. After creating your account in Auth0, you'll be prompted for a couple of one time setups. First, you'll need to select the region where Auth0 should service your users' authentication requests. You'll want to choose the region that's closest to most of your users, which will provide the fastest possible response to log in requests. Next, you'll choose a unique domain by entering an account name. Yourchosenaccount name.auth0.com will act as an API endpoint for your applications. After clicking the save button, you'll be asked to choose the authentication providers you wish to use. The initial list only shows the more popular choices such as Facebook, Google and Twitter, however there are many additional providers that you can choose later in the connections area. We'll learn more about this in the next screencast.
After creating your account, Auth0 automatically creates a default application for you and forwards you to the quick start area of that newly created default application. You can always add additional applications to your account by clicking the new app API button from the dashboard. However, in this case we'll just use the default application that was created for us. For now, we're going to focus on the general configuration found in the settings tab of your application.
The first thing you'll notice is the name default app. You'll probably want to give this a more meaningful name at this point. Next, you'll see the Auth0 domain that you created just a few moments ago. Your domain is established upon initial account setup and is simply listed as a reference for you at this point. The client ID is the publicly published unique identifier for this application which will be sent to Auth0 when making authentication requests. Next, you see the client secret which is a private string that can be used by Auth0 to sign the JSON web token that is generated and returned to the client after successfully authenticating the user. You can use the same client secret on your server side code to verify the signature of the JSON web tokens that clients send with each API request, essentially verifying the user's identity. Unlike the client ID that is published and potentially viewable on the client side, the client secret must not be shared and should be secured on your server.
Using a client secret isn't the only option for signing JSON web tokens. You could choose the asymmetrical cryptography option which uses a private key to sign the JSON web token and a public key to verify the signature. This would be done by clicking the show advanced settings link then changing the JSON web token token signature algorithm from HS256 to RS256, and then you can click the download certificate button to obtain the key you'll need on your server to verify JSON web token signatures.
The allowed callback URLs is required for third party applications single sign on integration and for regular web applications. During the authentication process, Auth0 won't make a callback to a URL that isn't white listed here, so specifying a proper callback URL is a crucial setup step. If you're creating a single page app and just calling an API, you just need to add the URLs from which you're calling to the allowed origins to allow cross origin resource sharing or CORS. Doing this will allow calling Auth0 from your single page app.
It's worth mentioning that adding your URLs to the allowed callback URLs will also add it as an allowed origin. Typically, you'll want to set up URLs for each environment you use such as production and testing. We'll add local host port 3000 so we can use Auth0 in our development environment. Next, you see JSON web token expiration which specifies how long the JSON web token will be valid in seconds. The value you specify here will set the expiration time included in the JSON web token which your server side will then use as part of the token verification process. Lastly, we'll save our changes.
Stay tuned for the next screencast where we'll configure the social connections such as Facebook, Google and Twitter that we wish to use in our application.