DEV Community: Insiderto The latest articles on DEV Community by Insiderto (@insiderto). https://dev.to/insiderto https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3094450%2Fd3c8c42f-eb24-497f-87a2-c889cfb21149.png DEV Community: Insiderto https://dev.to/insiderto en How to Obtain an OIDC ID Token for SpacetimeDB Using Next.js and Auth0 Insiderto Sat, 26 Apr 2025 19:53:21 +0000 https://dev.to/insiderto/how-to-obtain-an-oidc-id-token-for-spacetimedb-using-nextjs-and-auth0-1ci https://dev.to/insiderto/how-to-obtain-an-oidc-id-token-for-spacetimedb-using-nextjs-and-auth0-1ci <p>Hello! Since the first <a href="https://www.youtube.com/watch?v=kzDnA_EVhTU&amp;ab_channel=SpacetimeDB" rel="noopener noreferrer">SpacetimeDB video</a> came out, I’ve become a huge fan of this technology and am very grateful to Clockwork for releasing the database. From day one, I’ve been experimenting with SpacetimeDB in my projects. I followed the guide to build a simple chat, and then I decided to use SpacetimeDB in one of my own projects: <a href="https://www.overvoted.com/" rel="noopener noreferrer">Overvoted</a> — a everyday clicker-and-voting. The project started as a fun idea, but I realized it was a great way to test the database and learn how to use it for my future ideas.</p> <h2> The Authentication Challenge in SpacetimeDB </h2> <p>The Spacetime documentation focuses mostly on usage scenarios; how to build a chat or a small Agar.io-style game; but these examples don’t cover authentication and authorization in depth. For MMORPG use cases (which is where SpacetimeDB really shines), robust auth is critical. SpacetimeDB doesn’t provide any built-in authorization mechanisms, and for authentication it expects an ID Token issued by an OpenID Connect–compliant provider. In practice, that means we developers must implement our own auth flow and obtain a token from a third-party OIDC provider.</p> <p>For my project, I chose Auth0 and I’m using Next.js on the frontend. Note that our application is essentially a single-page app (SPA), not an MPA or server-rendered app. I haven’t yet tackled the server-side auth scenario.</p> <h2> Prerequisites </h2> <ul> <li>A running SpacetimeDB instance with your module code and database logic already set up</li> <li>An Auth0 account with a configured Single Page Application</li> <li>A frontend client (I’m using Next.js, but any SPA framework will work)</li> </ul> <h2> Step 1: Set Up Your SpacetimeDB Client and Module </h2> <p>Follow the official quickstarts for your language of choice:</p> <ul> <li><a href="https://spacetimedb.com/docs/sdks/typescript/quickstart" rel="noopener noreferrer">TypeScript client</a></li> <li><a href="https://spacetimedb.com/docs/modules/c-sharp/quickstart" rel="noopener noreferrer">C# module</a></li> <li><a href="https://spacetimedb.com/docs/modules/rust/quickstart" rel="noopener noreferrer">Rust module</a></li> </ul> <h2> Key Concepts to Understand </h2> <p>Before implementing the flow, keep these points in mind:</p> <ol> <li><p><strong>Token and Identity</strong>: The token you provide to SpacetimeDB lets it assign and persist a client identity. In simple terms: the same user token always yields the same SpacetimeDB identity. That’s the core of how connections remain stable.</p></li> <li><p><strong>ID Token Only</strong>: SpacetimeDB specifically requires the ID Token (not an Access Token or any other token) issued by an OIDC provider.</p></li> <li><p><strong>Provider Compatibility</strong>: Not every auth provider fully implements OIDC. Always verify OIDC compatibility for your chosen provider. Auth0 is fully OIDC-compliant.</p></li> <li><p><strong>Auth Services</strong>: An authentication aggregator like Auth0 can support multiple identity providers (Google, Twitter, etc.). You could also integrate a provider like Google directly, but using an aggregator often offers more flexibility for your users.</p></li> </ol> <h2> SPA Implementation </h2> <p>For React/Next.js apps, I recommend using <a href="https://github.com/authts/react-oidc-context" rel="noopener noreferrer">react-oidc-context</a>. For other TypeScript frameworks, <a href="https://github.com/authts/oidc-client-ts" rel="noopener noreferrer">oidc-client-ts</a> works well.</p> <h3> OIDC Configuration for Auth0 </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">oidcConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authority</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://dev-aaaaAAAAAAAaaaa.us.auth0.com</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Your Auth0 OIDC issuer URL in app it will be Domain</span> <span class="na">client_id</span><span class="p">:</span> <span class="dl">"</span><span class="s2">AAaaaAAAAaaaaaAAAAaAa</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Your Auth0 Client ID</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3001/callback</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Redirect URI to receive the tokens</span> <span class="na">post_logout_redirect_uri</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://localhost:3001</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Where to go after logout</span> <span class="na">response_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// Use Authorization Code Flow</span> <span class="na">scope</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openid email profile</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// OIDC scopes (openid required)</span> <span class="p">};</span> </code></pre> </div> <h3> Simplified Provider Setup in Next.js </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">AuthProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-oidc-context</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">Providers</span><span class="p">({</span> <span class="nx">children</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">AuthProvider</span> <span class="p">{...</span><span class="nx">oidcConfig</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/AuthProvider&gt;</span><span class="err">; </span><span class="p">}</span> </code></pre> </div> <h3> Connecting to SpacetimeDB with the ID Token </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">useAuth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-oidc-context</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useEffect</span><span class="p">,</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">DbConnection</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@module-bingings</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// generated module bindings</span> <span class="kd">function</span> <span class="nf">SpacetimeConnector</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">identity</span><span class="p">,</span> <span class="nx">setIdentity</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">auth</span><span class="p">.</span><span class="nx">isAuthenticated</span> <span class="o">&amp;&amp;</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id_token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">conn</span> <span class="o">=</span> <span class="nx">DbConnection</span><span class="p">.</span><span class="nf">builder</span><span class="p">()</span> <span class="p">.</span><span class="nf">withUri</span><span class="p">(</span><span class="dl">'</span><span class="s1">spacetime://my-project.spacetimedb.net</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">withModuleName</span><span class="p">(</span><span class="dl">'</span><span class="s1">my_module</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">withToken</span><span class="p">(</span><span class="nx">auth</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">id_token</span><span class="p">)</span> <span class="p">.</span><span class="nf">onConnect</span><span class="p">((</span><span class="nx">conn</span><span class="p">,</span> <span class="nx">identity</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Connected with identity: </span><span class="p">${</span><span class="nx">identity</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nf">setIdentity</span><span class="p">(</span><span class="nx">identity</span><span class="p">);</span> <span class="p">})</span> <span class="p">.</span><span class="nf">build</span><span class="p">();</span> <span class="k">return </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">conn</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">}</span> <span class="p">},</span> <span class="p">[</span><span class="nx">auth</span><span class="p">.</span><span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">user</span><span class="p">]);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">identity</span> <span class="o">&amp;&amp;</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Your</span> <span class="nx">SpacetimeDB</span> <span class="na">Identity</span><span class="p">:</span> <span class="p">{</span><span class="nx">identity</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p&gt;</span><span class="err">} </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h2> Temporary Tokens and Verifying Your Setup </h2> <h3> SpacetimeDB Temporary Tokens </h3> <p>The <code>onConnect</code> callback’s third argument is a temporary SpacetimeDB token if you didn’t supply an ID Token via <code>.withToken()</code>. SpacetimeDB issues this token itself. If you require external auth, you can safely ignore the temporary token.</p> <p>Temporary tokens are useful when you don’t have an external auth system but still want session persistence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Without external auth (using the temporary SpacetimeDB token)</span> <span class="p">.</span><span class="nf">onConnect</span><span class="p">((</span><span class="nx">conn</span><span class="p">,</span> <span class="nx">identity</span><span class="p">,</span> <span class="nx">tempToken</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Connected with identity: </span><span class="p">${</span><span class="nx">identity</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">localStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">spacetime_temp_token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">tempToken</span><span class="p">);</span> <span class="p">})</span> <span class="c1">// With OIDC ID Token</span> <span class="p">.</span><span class="nf">onConnect</span><span class="p">((</span><span class="nx">conn</span><span class="p">,</span> <span class="nx">identity</span><span class="p">,</span> <span class="nx">_tempToken</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Connected with identity: </span><span class="p">${</span><span class="nx">identity</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// We ignore the temporary token when using an OIDC ID Token</span> <span class="p">})</span> </code></pre> </div> <h3> How to Verify Your Configuration </h3> <p>Ensure the same authenticated user always receives the same SpacetimeDB identity:</p> <ol> <li>Log in to your app.</li> <li>Connect to SpacetimeDB and note the returned identity.</li> <li>Refresh the page or open the app in a different browser.</li> <li>Log in as the same user.</li> <li>Check that the identity remains unchanged. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">.</span><span class="nf">onConnect</span><span class="p">((</span><span class="nx">conn</span><span class="p">,</span> <span class="nx">identity</span><span class="p">,</span> <span class="nx">tempToken</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`Connected with identity: </span><span class="p">${</span><span class="nx">identity</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="c1">// This identity should be stable for a single user</span> <span class="p">})</span> </code></pre> </div> <p>If identities differ for the same user, check:</p> <ul> <li>You’re sending an OIDC ID Token (not an Access Token).</li> <li>Your OIDC provider settings are correct.</li> <li>You’re persisting and reusing the token properly.</li> </ul> <h2> Conclusion </h2> <p>I had very limited experience with authentication and authorization systems, and OIDC was entirely new to me. Initially, integrating it felt overwhelming and I wasn’t sure what I was doing. Having worked through the steps now, I can see that it’s actually quite approachable.</p> <p>Big thanks to Lethalchip (Chip) for his GitHub example (<a href="https://github.com/Lethalchip/spacetimedb-cookbook/tree/master/oidc-test" rel="noopener noreferrer">spacetimedb-cookbook/oidc-test</a>). Note: although his example is generally correct, he mistakenly uses an Access Token rather than an ID Token, which broke identity stability in my tests.</p> <p>I hope this guide helps you integrate SpacetimeDB into your projects with a reliable OIDC authentication system via Auth0 or other OIDC complaint provider.</p> webdev programming javascript