Skip to content
Use Auth0 with Chrome Extensions
JavaScript HTML
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
example Fixed fragment issue Dec 10, 2016
.babelrc Updated Webpack to 4.x.x. Selectively enabled binding decorators on f… Dec 19, 2018
.npmignore Added issue template. Jan 2, 2019
LICENSE initial Nov 24, 2016

Auth0 for Chrome extensions

All Contributors


Thanks goes to these wonderful people who contribute(d) or maintain(ed) this repo (emoji key):

Conrad Sopala
Conrad Sopala

🚧 👀
Abhishek Hingnikar
Abhishek Hingnikar

👀 💻



This package allows you to use Auth0 within a Chrome extension. It provides a generic PKCEClient.js file which allows you to use the Proof Key for Code Exchange spec, which is recommended for native applications.

With this package, you can set up your Chrome extension to use Auth0's hosted Lock widget. It uses the launchWebAuthFlow from Chrome's identity API to retrieve tokens from Auth0.

This repo is supported and maintained by Community Developers, not Auth0. For more information about different support levels check .

Getting started

If you haven't already done so, sign up for your free Auth0 account and create an application in the dashboard. Find the domain and client ID from your app settings, as these will be required to integrate Auth0 in your Chrome extension. Note that the client type that you use has to be Native, or you will get unauthorized errors.

Chrome extensions are packaged as .crx files for distribution but may be loaded "unpacked" for development. For more information on how to load an unpacked extension, see the Chrome extension docs.

When loading your application as an unpacked extension, a unique ID will be generated for it. You must whitelist your callback URL (the URL that Auth0 will return to once authentication is complete) and the allowed origin URL.

In the Allowed Callback URLs section, whitelist your callback URL.


In the Allowed Origins section, whitelist your chrome extension as an origin.



Install the auth0-chrome package with npm.

npm install auth0-chrome

The dist folder contains a webpack bundle, including a minified version.

Configure your manifest.json file to run the auth0chrome script, along with an env.js and main.js script for your project. The default_popup should be set to an HTML file containing the content you would like to display.

  "browser_action": {
    "default_title": "Auth0",
    "default_popup": "src/browser_action/browser_action.html"
  "background": {
    "scripts": ["./env.js", "node_modules/auth0-chrome/dist/auth0chrome.min.js", "src/main.js"],
    "persistent": false
  "permissions": [

Add your Auth0 credentials in the env.js file.

window.env = {



Somewhere in your browser action, create a Log In button and when it is clicked, emit an event that can be picked up to trigger the authentication flow. For example, listen for click events with jQuery and emit a message called authenticate with chrome.runtime.sendMessage.

// ...
  $('.login-button').addEventListener('click', () => {
      type: "authenticate"
// ...

Your main.js file is where you should add the listener for the authenticate event. This is where you can instantiate Auth0Chrome and call the authenticate method to start the flow and save the authentication result when it comes back.

// src/main.js

chrome.runtime.onMessage.addListener(function (event) {
  if (event.type === 'authenticate') {

    // scope
    //  - openid if you want an id_token returned
    //  - offline_access if you want a refresh_token returned
    // device
    //  - required if requesting the offline_access scope.
    let options = {
      scope: 'openid offline_access',
      device: 'chrome-extension'

    new Auth0Chrome(env.AUTH0_DOMAIN, env.AUTH0_CLIENT_ID)
      .then(function (authResult) {
        localStorage.authResult = JSON.stringify(authResult);
          type: 'basic',
          iconUrl: 'icons/icon128.png',
          title: 'Login Successful',
          message: 'You can use the app now'
      }).catch(function (err) {
        type: 'basic',
        title: 'Login Failed',
        message: err.message,
        iconUrl: 'icons/icon128.png'

Auth0's hosted Lock widget will be displayed in a new window.

auth0 lock


To apply styles to the login page, go to your Auth0 account and go to Hosted Pages. From there toggle "Customize Login Page", that will allow you to not only customize the Lock widget, but also apply some styling to the page.

To read more on this go to Customize Your Hosted Page.

Using the Library

  • Auth0Chrome(domain, clientId)

    The library exposes Auth0Chrome which extends a generic PKCEClient.

    • domain : Your Auth0 Domain, to create one please visit
    • clientId: The clientId for the chrome client, to create one
    • Visit and click on + Create Application
    • Select "Native" as the client type
    • In the Allowed Callback URLs section, add https://<yourchromeappid> as an allowed callback url
    • In the Allowed Origins section, add chrome-extension://<yourchromeappid>
  • Promise Auth0Client#authenticate(options, interactive)

    The authenticate method makes a call to the Authentication API and renders the login UI if userinteraction is required. Upon completion, this method will resolve an object which will contain the requested token and meta information related to the authentication process.

    • options: object - accepts all the parameters valid for Auth0's Authentication API except for redirect_uri, response_type, code_challenge & code_challenge_method as these are controlled by the library

    • interactive: boolean - if set to false for advanced use-cases, Chrome will throw an error if user-interaction is required during login

    The access_token returned at the end of the authentication flow can then be used to make authenticated calls to your API. For more information on using access tokens, see the full documentation.


    Feel like contributing to this repo? We're glad to hear that! Before you start contributing please visit our Contributing Guideline.

    Here you can also find the PR template to fill once creating a PR. It will automatically appear once you open a pull request.


    Install the dev dependencies.

    npm install

    When changes are made, run npm run build to produce new files for the dist folder.

    Issues Reporting

    Spotted a bug or any other kind of issue? We're just humans and we're always waiting for constructive feedback! Check our section on how to report issues!

    Here you can also find the Issue template to fill once opening a new issue. It will automatically appear once you create an issue.

    Repo Community

    Feel like PRs and issues are not enough? Want to dive into further discussion about the tool? We created topics for each Auth0 Community repo so that you can join discussion on stack available on our repos. Here it is for this one: auth0-chrome


    This project is licensed under the MIT license. See the LICENSE file for more info.

    What is Auth0?

    Auth0 helps you to:

    • Add authentication with multiple authentication sources, either social like

      • Google
      • Facebook
      • Microsoft
      • Linkedin
      • GitHub
      • Twitter
      • Box
      • Salesforce
      • etc.

      or enterprise identity systems like:

      • Windows Azure AD
      • Google Apps
      • Active Directory
      • ADFS
      • Any SAML Identity Provider
    • Add authentication through more traditional username/password databases

    • Add support for linking different user accounts with the same user

    • Support for generating signed JSON Web Tokens to call your APIs and create user identity flow securely

    • Analytics of how, when and where users are logging in

    • Pull data from other sources and add it to user profile, through JavaScript rules

    Create a free Auth0 account

    • Go to Auth0 website
    • Hit the SIGN UP button in the upper-right corner

You can’t perform that action at this time.