MCPcopy Index your code
hub / github.com/auth0/auth0-java-mvc-common

github.com/auth0/auth0-java-mvc-common @1.12.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release 1.12.0 ↗ · + Follow
431 symbols 1,648 edges 37 files 88 documented · 20%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Auth0 SDK to add authentication to your Java Servlet applications.

Build Status Coverage Status License Maven Central javadoc Ask DeepWiki

Note As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK. As a result, new patch builds have been released using the new signing key. Please upgrade at your earliest convenience.

While this change won't affect most developers, if you have implemented a dependency signature validation step in your build process, you may notice a warning that past releases can't be verified. This is expected, and a result of the key rotation process. Updating to the latest version will resolve this for you.

:books: Documentation - :rocket: Getting Started - :computer: API Reference :speech_balloon: Feedback

Documentation

  • Quickstart - our interactive guide for quickly adding login, logout and user information to a Java Servlet application using Auth0.
  • Sample App - a sample Java Servlet application integrated with Auth0.
  • Examples - code samples for common scenarios.
  • Docs site - explore our docs site and learn more about Auth0.

Getting Started

Requirements

Java 8 or above and javax.servlet version 3.

If you are using Spring, we recommend leveraging Spring's OIDC and OAuth2 support, as demonstrated by the Spring Boot Quickstart.

Installation

Add the dependency via Maven:

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>mvc-auth-commons</artifactId>
  <version>1.12.0</version>
</dependency>

or Gradle:

implementation 'com.auth0:mvc-auth-commons:1.12.0'

Configure Auth0

Create a Regular Web Application in the Auth0 Dashboard. Verify that the "Token Endpoint Authentication Method" is set to POST.

Next, configure the callback and logout URLs for your application under the "Application URIs" section of the "Settings" page:

  • Allowed Callback URLs: The URL of your application where Auth0 will redirect to during authentication, e.g., http://localhost:3000/callback.
  • Allowed Logout URLs: The URL of your application where Auth0 will redirect to after user logout, e.g., http://localhost:3000/login.

Note the Domain, Client ID, and Client Secret. These values will be used later.

Add login to your application

Create a new AuthenticationController using your Auth0 domain, and Auth0 application client ID and secret. Configure the builder with a JwkProvider for your Auth0 domain.

public class AuthenticationControllerProvider {
    private String domain = "YOUR-AUTH0-DOMAIN";
    private String clientId = "YOUR-CLIENT-ID";
    private String clientSecret = "YOUR-CLIENT-SECRET";

    private AuthenticationController authenticationController;

    static {
        JwkProvider jwkProvider = new JwkProviderBuilder("YOUR-AUTH0-DOMAIN").build();
        authenticationController = AuthenticationController.newBuilder(domain, clientId, clientSecret)
                .withJwkProvider(jwkProvider)
                .build();
    }

    public getInstance() {
        return authenticationController;
    }
}

Note: The AuthenticationController.Builder is not to be reused, and an IllegalStateException will be thrown if build() is called more than once.

Redirect users to the Auth0 login page using the AuthenticationController:

@WebServlet(urlPatterns = {"/login"})
public class LoginServlet extends HttpServlet {

    @Override
    protected void doGet(final HttpServletRequest req, final HttpServletResponse res) throws ServletException, IOException {
        // Where your application will handle the authoriztion callback
        String redirectUrl = "http://localhost:3000/callback";

        String authorizeUrl = AuthenticationControllerProvider
                .getInstance()
                .buildAuthorizeUrl(req, res, redirectUrl)
                .build();
        res.sendRedirect(authorizeUrl);
    }
}

Finally, complete the authentication and obtain the tokens by calling handle() on the AuthenticationController.

@WebServlet(urlPatterns = {"/callback"})
public class CallbackServlet extends HttpServlet {

    @Override
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
        try {
            // authentication complete; the tokens can be stored as needed
            Tokens tokens = AuthenticationControllerProvider
                    .getInstance()
                    .handle(req, res);
            res.sendRedirect("URL-AFTER-AUTHENTICATED");
        } catch (IdentityVerificationException e) {
            // handle authentication error
        }
    }
}

That's it! You have authenticated the user using Auth0.

Multiple Custom Domains Support

If your application needs to authenticate users against different Auth0 domains per request, use a DomainResolver instead of a static domain:

DomainResolver domainResolver = (request) -> {
    // resolve the Auth0 domain from the request (e.g., header, subdomain, etc.)
    return request.getHeader("X-Tenant-Domain");
};

AuthenticationController controller = AuthenticationController
        .newBuilder(domainResolver, clientId, clientSecret)
        .build();

The library handles storing and retrieving the resolved domain throughout the authentication flow. The returned Tokens object includes getDomain() and getIssuer() for tenant-specific session management. See EXAMPLES.md for more details.

API Reference

Feedback

Contributing

We appreciate feedback and contribution to this repo! Before you get started, please see the following:

Raise an issue

To provide feedback or report a bug, please raise an issue on our issue tracker.

Vulnerability Reporting

Please do not report security vulnerabilities on the public Github issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.


<img alt="Auth0 Logo" src="https://cdn.auth0.com/website/sdks/logos/auth0_light_mode.png" width="150">

Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout Why Auth0?

This project is licensed under the MIT license. See the LICENSE file for more info.

Extension points exported contracts — how you extend this code

DomainResolver (Interface)
(no doc)
src/main/java/com/auth0/DomainResolver.java

Core symbols most depended-on inside this repo

build
called by 54
src/main/java/com/auth0/AuthorizeUrl.java
verify
called by 51
src/main/java/com/auth0/IdTokenVerifier.java
sign
called by 34
src/main/java/com/auth0/SignedCookieUtils.java
newBuilder
called by 25
src/main/java/com/auth0/AuthenticationController.java
decode
called by 20
src/main/java/com/auth0/TransientCookieStore.java
verifySignature
called by 19
src/main/java/com/auth0/SignatureVerifier.java
getSession
called by 18
src/main/java/com/auth0/SessionUtils.java
withAudience
called by 16
src/main/java/com/auth0/AuthorizeUrl.java

Shape

Method 390
Class 38
Interface 2
Enum 1

Languages

Java100%

Modules by API surface

src/test/java/com/auth0/IdTokenVerifierTest.java48 symbols
src/test/java/com/auth0/RequestProcessorTest.java39 symbols
src/test/java/com/auth0/AuthenticationControllerTest.java39 symbols
src/test/java/com/auth0/AuthorizeUrlTest.java31 symbols
src/main/java/com/auth0/RequestProcessor.java31 symbols
src/test/java/com/auth0/TransientCookieStoreTest.java30 symbols
src/main/java/com/auth0/AuthenticationController.java27 symbols
src/test/java/com/auth0/SignedCookieUtilsTest.java18 symbols
src/main/java/com/auth0/AuthorizeUrl.java18 symbols
src/test/java/com/auth0/SignatureVerifierTest.java15 symbols
src/main/java/com/auth0/TransientCookieStore.java12 symbols
src/main/java/com/auth0/IdTokenVerifier.java12 symbols

For agents

$ claude mcp add auth0-java-mvc-common \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact