Latest Posts

Implementing OAuth Authentication in React

Posted on by Rishan Solutions

Loading

OAuth is the industry standard for authorization, allowing users to log in via third-party services like Google, Facebook, or GitHub without exposing their credentials to your application. Here’s a comprehensive guide to implementing OAuth in React applications.

1. Choosing an OAuth Flow

Recommended Flows for React Apps:

  • Authorization Code Flow with PKCE (Best for SPAs)
  • Implicit Flow (Simpler but less secure – being deprecated)
  • Hybrid Flow (Combines benefits of both)

2. Basic Implementation with Auth0

Setup Auth0 Provider

// auth0-config.js
export const auth0Config = {
  domain: 'your-domain.auth0.com',
  clientId: 'your-client-id',
  authorizationParams: {
    redirect_uri: window.location.origin,
    audience: 'https://your-api.com',
    scope: 'openid profile email',
  },
};

Create Auth Context

// AuthContext.js
import { createContext, useContext, useEffect, useState } from 'react';
import { Auth0Client } from '@auth0/auth0-spa-js';
import { auth0Config } from './auth0-config';

const AuthContext = createContext();

export const AuthProvider = ({ children }) => {
  const [authClient, setAuthClient] = useState(null);
  const [user, setUser] = useState(null);
  const [isAuthenticated, setIsAuthenticated] = useState(false);
  const [isLoading, setIsLoading] = useState(true);

  useEffect(() => {
    const initializeAuth0 = async () => {
      const auth0Client = new Auth0Client(auth0Config);
      setAuthClient(auth0Client);

      try {
        const isAuthenticated = await auth0Client.isAuthenticated();
        setIsAuthenticated(isAuthenticated);

        if (isAuthenticated) {
          const userProfile = await auth0Client.getUser();
          setUser(userProfile);
        }
      } catch (error) {
        console.error('Auth initialization error:', error);
      } finally {
        setIsLoading(false);
      }
    };

    initializeAuth0();
  }, []);

  const login = async () => {
    await authClient.loginWithRedirect();
  };

  const logout = async () => {
    await authClient.logout({
      logoutParams: {
        returnTo: window.location.origin,
      },
    });
    setUser(null);
    setIsAuthenticated(false);
  };

  const getAccessToken = async () => {
    return authClient.getTokenSilently();
  };

  const value = {
    user,
    isAuthenticated,
    isLoading,
    login,
    logout,
    getAccessToken,
  };

  return (
    <AuthContext.Provider value={value}>
      {children}
    </AuthContext.Provider>
  );
};

export const useAuth = () => useContext(AuthContext);

3. Protecting Routes

Private Route Component

// PrivateRoute.js
import { Navigate } from 'react-router-dom';
import { useAuth } from './AuthContext';

export const PrivateRoute = ({ children }) => {
  const { isAuthenticated, isLoading } = useAuth();

  if (isLoading) {
    return <div>Loading...</div>;
  }

  return isAuthenticated ? children : <Navigate to="/login" />;
};

// Usage in App.js
<Route
  path="/dashboard"
  element={
    <PrivateRoute>
      <Dashboard />
    </PrivateRoute>
  }
/>

4. Handling the Callback

Callback Component

// Callback.js
import { useEffect } from 'react';
import { useNavigate } from 'react-router-dom';
import { useAuth } from './AuthContext';

export const Callback = () => {
  const { isAuthenticated, isLoading } = useAuth();
  const navigate = useNavigate();

  useEffect(() => {
    if (!isLoading) {
      navigate(isAuthenticated ? '/dashboard' : '/');
    }
  }, [isLoading, isAuthenticated, navigate]);

  return <div>Loading...</div>;
};

// Add to your routes
<Route path="/callback" element={<Callback />} />

5. Making Authenticated API Calls

Axios Interceptor Setup

// api.js
import axios from 'axios';
import { useAuth } from './AuthContext';

export const useApi = () => {
  const { getAccessToken } = useAuth();

  const api = axios.create({
    baseURL: 'https://your-api.com',
  });

  api.interceptors.request.use(async (config) => {
    const token = await getAccessToken();
    if (token) {
      config.headers.Authorization = `Bearer ${token}`;
    }
    return config;
  });

  return api;
};

// Usage in components
function UserProfile() {
  const api = useApi();
  const [profile, setProfile] = useState(null);

  useEffect(() => {
    const fetchProfile = async () => {
      try {
        const response = await api.get('/profile');
        setProfile(response.data);
      } catch (error) {
        console.error('Failed to fetch profile:', error);
      }
    };
    fetchProfile();
  }, [api]);

  // Render profile data
}

6. Social Login Integration

Adding Social Providers

// Update auth0-config.js
export const auth0Config = {
  // ...existing config
  authorizationParams: {
    // ...existing params
    connection: 'google', // or 'facebook', 'github', etc.
  },
};

// Multiple providers option
export const loginWithSocial = (connection) => {
  authClient.loginWithRedirect({
    authorizationParams: {
      connection,
    },
  });
};

7. Silent Authentication (Token Refresh)

Silent Auth Setup

// Update AuthContext.js
useEffect(() => {
  const handleRedirectCallback = async () => {
    try {
      await authClient.handleRedirectCallback();
      const userProfile = await authClient.getUser();
      setUser(userProfile);
      setIsAuthenticated(true);
    } catch (error) {
      console.error('Redirect callback error:', error);
    }
  };

  if (window.location.search.includes('code=')) {
    handleRedirectCallback();
  }
}, [authClient]);

// Token refresh logic
const getAccessToken = async () => {
  try {
    return await authClient.getTokenSilently({
      authorizationParams: {
        audience: 'https://your-api.com',
        scope: 'openid profile email',
      },
    });
  } catch (error) {
    if (error.error === 'login_required') {
      await login();
    }
    throw error;
  }
};

8. Security Best Practices

Implement CSRF Protection

// Generate state parameter for OAuth flow
const generateState = () => {
  return crypto.randomBytes(16).toString('hex');
};

// In login function
const login = async () => {
  const state = generateState();
  localStorage.setItem('oauth_state', state);

  await authClient.loginWithRedirect({
    authorizationParams: {
      state,
    },
  });
};

// In callback handler
const handleRedirectCallback = async () => {
  const { appState } = await authClient.handleRedirectCallback();
  const storedState = localStorage.getItem('oauth_state');

  if (appState.state !== storedState) {
    throw new Error('Invalid state parameter');
  }

  localStorage.removeItem('oauth_state');
  // ...rest of callback logic
};

9. Multi-Tenancy Support

Organization-Based Authentication

// Update auth0-config.js
export const auth0Config = {
  // ...existing config
  authorizationParams: {
    // ...existing params
    organization: 'org_xyz', // Optional org ID
  },
};

// Dynamic organization selection
export const loginWithOrganization = (orgId) => {
  authClient.loginWithRedirect({
    authorizationParams: {
      organization: orgId,
    },
  });
};

10. Testing Authentication

Mocking Auth in Tests

// test-utils.js
export const mockAuth = {
  user: { name: 'Test User', email: 'test@example.com' },
  isAuthenticated: true,
  isLoading: false,
  login: jest.fn(),
  logout: jest.fn(),
  getAccessToken: jest.fn().mockResolvedValue('mock-access-token'),
};

export const MockAuthProvider = ({ children }) => (
  <AuthContext.Provider value={mockAuth}>
    {children}
  </AuthContext.Provider>
);

// In your test files
test('displays user profile', async () => {
  render(
    <MockAuthProvider>
      <UserProfile />
    </MockAuthProvider>
  );

  expect(await screen.findByText('Test User')).toBeInTheDocument();
});

Alternative Libraries

Using Firebase Authentication

// firebase-auth.js
import { initializeApp } from 'firebase/app';
import { 
  getAuth, 
  GoogleAuthProvider, 
  signInWithPopup, 
  signOut 
} from 'firebase/auth';

const firebaseConfig = {
  apiKey: "your-api-key",
  authDomain: "your-project.firebaseapp.com",
  projectId: "your-project",
};

const app = initializeApp(firebaseConfig);
const auth = getAuth(app);
const googleProvider = new GoogleAuthProvider();

export const signInWithGoogle = () => signInWithPopup(auth, googleProvider);
export const firebaseSignOut = () => signOut(auth);

Using NextAuth.js (for Next.js applications)

// pages/api/auth/[...nextauth].js
import NextAuth from 'next-auth';
import GoogleProvider from 'next-auth/providers/google';

export default NextAuth({
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
    }),
  ],
  callbacks: {
    async jwt({ token, account }) {
      if (account) {
        token.accessToken = account.access_token;
      }
      return token;
    },
    async session({ session, token }) {
      session.accessToken = token.accessToken;
      return session;
    },
  },
});

Performance Considerations

  1. Lazy Load Auth SDK: Only load authentication libraries when needed
  2. Token Refresh Strategy: Implement efficient token renewal
  3. Minimize Re-renders: Optimize auth context to prevent unnecessary updates
  4. Bundle Size: Choose lightweight OAuth libraries

By implementing these patterns, you can create a secure, user-friendly authentication system in your React application that leverages OAuth for reliable third-party logins while maintaining control over your user experience.

Leave a Reply

Your email address will not be published. Required fields are marked *