DEV Community: Yann Amsellem The latest articles on DEV Community by Yann Amsellem (@yannamsellem). https://dev.to/yannamsellem https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3199906%2F326d00de-e28a-4c71-a6bd-8e358cf31770.png DEV Community: Yann Amsellem https://dev.to/yannamsellem en Adding Auth0 to Your Tauri App: Secure Authentication for Agx on Web and Desktop Yann Amsellem Mon, 02 Jun 2025 12:16:23 +0000 https://dev.to/yannamsellem/adding-auth0-to-your-tauri-app-secure-authentication-for-agx-on-web-and-desktop-1h4k https://dev.to/yannamsellem/adding-auth0-to-your-tauri-app-secure-authentication-for-agx-on-web-and-desktop-1h4k <h2> Understanding Agx and Its Constraints </h2> <p>At Agnostic, we’ve crafted agx as a modern desktop application powered by <strong>Tauri</strong>, <strong>SvelteKit</strong>, and <strong>Plot</strong>, with <strong>ClickHouse</strong> driving fast local data processing. Our aim is to give users an intuitive interface to explore and query data effortlessly. What makes agx unique is its ability to operate in two modes:</p> <ul> <li> <strong>Desktop Mode</strong>: A native app using ClickHouse for fast, local data queries.</li> <li> <strong>Web Mode</strong>: A browser-based interface connecting to a remote server instance.</li> </ul> <p>Delivering a seamless experience across both modes is a challenge, particularly for authentication, which must work smoothly in both native and web environments while prioritizing security and ease of use. For the desktop side, we tap into Tauri’s <a href="https://tauri.app/plugin/deep-linking/" rel="noopener noreferrer"><code>deep-linking</code></a> and <a href="https://tauri.app/plugin/opener/" rel="noopener noreferrer"><code>opener</code></a> plugins to manage Auth0’s Universal Login flow, using a custom <code>agx://localhost/auth</code> protocol to redirect back to the app.</p> <h2> Why Auth0? The Need for Authentication </h2> <p>To unlock advanced features like agx’s AI Assistant, users need to log in. We chose <strong>Auth0</strong> with its <strong>Universal Login</strong> flow for its:</p> <ul> <li> <strong>Seamless SSO</strong>: Universal Login provides a unified, hosted login experience across web and desktop.</li> <li> <strong>Cross-Platform Compatibility</strong>: Works with SvelteKit’s frontend and Tauri’s Rust-based backend.</li> <li> <strong>Security</strong>: Leverages OAuth 2.0, JWT, and secure token storage.</li> <li> <strong>Ease of Use</strong>: The hosted Universal Login page is easy to set up and customize, letting us align it with agx’s branding.</li> </ul> <p>By combining Auth0 with Tauri’s plugins, we ensure users enjoy a consistent login experience, whether running agx natively or in a browser, unlocking the AI Assistant with minimal hassle.</p> <h2> Configuring Auth0 with Universal Login Step-by-Step </h2> <p>To integrate Auth0’s SPA application type with Universal Login, configure the Auth0 dashboard and your Tauri + SvelteKit project as follows:</p> <h3> Create an Auth0 Application </h3> <p>Start by heading to the Auth0 dashboard and creating a new application. Select Single Page Application (SPA), as it aligns perfectly with SvelteKit’s architecture and Tauri’s webview.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0qehaydsiq535pys1jq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp0qehaydsiq535pys1jq.png" alt="Auth0 dashboard showing SPA application creation" width="800" height="500"></a></p> <h3> Configure Application Settings </h3> <p>To enable secure redirects for both desktop and web modes, we configure Auth0’s URLs to support the <code>deep-linking</code> plugin’s custom protocol and standard web callbacks.</p> <p>In the application settings:</p> <ul> <li>Set <em>Allowed Callback URLs</em> to: <ul> <li> <code>agx://localhost/auth</code> for the desktop app. This custom protocol is registered by the <code>deep-linking</code> plugin, allowing Auth0 to redirect back to the Tauri app after login.</li> <li> <code>http://localhost:1420</code> for web development (agx’s default development port).</li> <li>The production URL <code>https://agx.app</code> for web mode.</li> </ul> </li> <li>Set <em>Allowed Logout URLs</em> to <code><a href="http://localhost:1420" rel="noopener noreferrer">http://localhost:1420</a></code>, <code><a href="https://agx.app" rel="noopener noreferrer">https://agx.app</a></code> and <code>agx://localhost/auth</code>.</li> <li>Add <em>Web Origins</em> for: <ul> <li> <code>http://localhost:1420</code> and the production domain <code>https://agx.app</code> for web mode.</li> <li> <code>tauri://localhost</code> and <code>https://tauri.localhost</code> for the desktop app. These are necessary because Tauri’s webview sets the request origin to <code>tauri://localhost</code> or <code>https://tauri.localhost</code>, and Auth0 requires these origins to be explicitly allowed to prevent CORS errors during authentication.</li> </ul> </li> </ul> <p>The <code>agx://localhost/auth</code> URI must be added to <em>Allowed Callback URLs</em> to enable the <code>deep-linking</code> plugin to handle redirects back to the desktop app. Similarly, <code>tauri://localhost</code> and <code>https://tauri.localhost</code> in <em>Web Origins</em> ensure Auth0 recognizes the Tauri app’s origin for secure authentication.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fip1pkbt5m6piddr9f9gi.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fip1pkbt5m6piddr9f9gi.png" alt="Auth0 application settings with callback URLs and Web Origins" width="800" height="500"></a></p> <h3> Set Up Tauri Plugins </h3> <p>To prepare Tauri, install the <code>deep-linking</code> and <code>opener</code> plugins using the Tauri CLI with these commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>npm run tauri add deep-linking <span class="nv">$ </span>npm run tauri add opener </code></pre> </div> <p>Run one command at a time to avoid issues. If agx is well-configured, the Tauri CLI will automatically add the necessary permissions and plugins to the app builder. If something goes wrong, check the requirements on the plugins’ documentation pages to resolve any hiccups.<br> In <code>tauri.conf.json</code>, configure the deep-linking plugin to register the <code>agx://</code> protocol for desktop redirects.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"plugins"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"deep-linking"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"desktop"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"schemes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"agx"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Finally, add the Auth0 SPA SDK to the SvelteKit project with <code>npm install @auth0/auth0-spa-js</code>. These steps lay the foundation for Auth0’s Universal Login to work seamlessly across agx’s web and desktop modes, with the <code>deep-linking</code> plugin managing desktop redirects and the <code>opener</code> plugin handling browser-based logins.</p> <h2> Wiring Up Auth0: The Code </h2> <p>Here’s how we at Agnostic integrated Auth0’s SPA SDK with Universal Login, using Tauri’s <code>deep-linking</code> and <code>opener</code> plugins. To make the <code>deep-linking</code> plugin work for handling <code>agx://localhost/auth</code> redirects in desktop mode, build the app with <code>npm run tauri build</code> to create a production bundle, and add the <code>--debug</code> flag to enable devtools for easier debugging. The code below uses environment variables for Auth0 configuration, checks platform-specific login states, and manages redirects dynamically for both web and native modes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">Auth0Client</span><span class="p">,</span> <span class="nx">createAuth0Client</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@auth0/auth0-spa-js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">onOpenUrl</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tauri-apps/plugin-deep-link</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">openUrl</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@tauri-apps/plugin-opener</span><span class="dl">"</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">AUTH0_DOMAIN</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">AUTH0_DOMAIN is not defined</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">AUTH0_CLIENT_ID</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">"</span><span class="s2">AUTH0_CLIENT_ID is not defined</span><span class="dl">"</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">client</span><span class="p">:</span> <span class="nx">Auth0Client</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">init</span><span class="p">()</span> <span class="p">{</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createAuth0Client</span><span class="p">({</span> <span class="na">domain</span><span class="p">:</span> <span class="nx">AUTH0_DOMAIN</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">AUTH0_CLIENT_ID</span><span class="p">,</span> <span class="na">authorizationParams</span><span class="p">:</span> <span class="p">{</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">AUTH0_REDIRECT_URI</span> <span class="o">||</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">,</span> <span class="p">},</span> <span class="na">cacheLocation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">localstorage</span><span class="dl">"</span><span class="p">,</span> <span class="na">useRefreshTokens</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">checkLoginState</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">init</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">PLATFORM</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">WEB</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">code=</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">"</span><span class="s2">state=</span><span class="dl">"</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">handleRedirectCallback</span><span class="p">();</span> <span class="nb">window</span><span class="p">.</span><span class="nx">history</span><span class="p">.</span><span class="nf">replaceState</span><span class="p">({},</span> <span class="nb">document</span><span class="p">.</span><span class="nx">title</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">PLATFORM</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">NATIVE</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">onOpenUrl</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">urls</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nx">urls</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">u</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">u</span><span class="p">))</span> <span class="p">.</span><span class="nf">find</span><span class="p">((</span><span class="nx">u</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="dl">"</span><span class="s2">state</span><span class="dl">"</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">handleRedirectCallback</span><span class="p">(</span><span class="nx">url</span><span class="p">.</span><span class="nf">toString</span><span class="p">());</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">isAuthenticated</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">client</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">isAuthenticated</span><span class="p">();</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getToken</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">client</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getTokenSilently</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">login</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">client</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">loginWithRedirect</span><span class="p">({</span> <span class="k">async</span> <span class="nf">openUrl</span><span class="p">(</span><span class="nx">url</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">PLATFORM</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">WEB</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nf">assign</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">PLATFORM</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">NATIVE</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">openUrl</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="p">}</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">logout</span><span class="p">()</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">client</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">logout</span><span class="p">({</span> <span class="na">logoutParams</span><span class="p">:</span> <span class="p">{</span> <span class="na">returnTo</span><span class="p">:</span> <span class="nx">AUTH0_REDIRECT_URI</span> <span class="o">||</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This code relies on environment variables (<code>AUTH0_DOMAIN</code>, <code>AUTH0_CLIENT_ID</code>, <code>AUTH0_REDIRECT_URI</code>) to configure Auth0. The <code>PLATFORM</code> constant (<code>WEB</code> or <code>NATIVE</code>) determines whether to handle redirects via the browser or the <code>deep-linking</code> plugin’s <code>onOpenUrl</code>. For desktop mode, the <code>opener</code> plugin opens the Universal Login page in the default browser, and <code>agx://localhost/auth</code> serves as the redirect URI, caught by the <code>deep-linking</code> plugin. For web mode, it falls back to standard redirects using <code>window.location.origin</code>. The <code>useRefreshTokens: true</code> setting ensures secure token management for the SPA with Universal Login. The <code>checkLoginState</code> function handles callback logic and cleaning up the URL after authentication.</p> <h2> Wrapping Up </h2> <p>At Agnostic, we’ve integrated Auth0’s Universal Login with Tauri’s <code>deep-linking</code> and <code>opener</code> plugins to deliver secure, seamless authentication for agx across web and desktop. The <code>deep-linking</code> plugin handles redirects to <code>agx://localhost/auth</code>, while the <code>opener</code> plugin opens the Universal Login page in the default browser for desktop users. Including <code>tauri://localhost</code> and <code>https://tauri.localhost</code> as Web Origins in Auth0 eliminates CORS issues in Tauri’s webview. This setup creates a consistent experience, unlocking features like the AI Assistant. Want to dive into this implementation? Check out the <a href="https://github.com/agnosticeng/agx" rel="noopener noreferrer"><code>agx</code> repository</a> and give it a try!</p> webdev tutorial tauri auth0