fix(auth0-express): improve authRequired and middleware documentation

[frederikprijck]

Description

This PR improves the auth0-express skill documentation in three areas:

Bug fix:

• authRequired was incorrectly documented as defaulting to false; the actual default in express-openid-connect is true. Fixed in SKILL.md, api.md, and the Quick Reference section.

Missing request properties:

• Added req.oidc.idTokenClaims — decoded ID token claims object
• Added req.oidc.fetchUserInfo() — fetch additional user info from the /userinfo endpoint
• Clarified req.oidc.idToken and req.oidc.refreshToken types (string)

New documentation:

• Added Authorization Helpers Quick Reference section: requiresAuth(), claimEquals(), claimIncludes(), claimCheck()
• Added Claim-Based Authorization section in integration.md with examples for each helper
• Added fetchUserInfo() integration example in integration.md
• Added token refresh / expiry pattern using isExpired() and refresh() on the accessToken object
• Added Response Type Options reference section in api.md explaining code vs id_token flows

References

https://github.com/auth0/express-openid-connect/blob/master/lib/config.js#L215

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

Summary by CodeRabbit

• Documentation
  • Updated Auth0 Express skill documentation to clarify authentication configuration defaults and behaviors.
  • Added guidance on access token management, refresh token handling, and claim-based authorization patterns.
  • Expanded common issues section with troubleshooting for configuration problems.
  • Added new sections covering user information fetching and session management best practices.

[github-actions]

✅ claudelint — All checks passed

Full report

Linting Claude plugins in: /home/runner/work/agent-skills/agent-skills


Summary:
  Errors:   0
  Warnings: 0

✓ All checks passed!

claudelint 0.3.6 · config · custom rules · run

[github-actions]

✅ skillsaw — All checks passed

Full report

Linting: /home/runner/work/agent-skills/agent-skills


Summary:
  Errors:   0
  Warnings: 0

✓ All checks passed!

skillsaw 0.4.3 · config · custom rules · run

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Documentation-only updates to three Auth0 Express skill markdown files. Changes correct the authRequired default from false to true, expand the req.oidc properties and authorization helpers reference, clarify response_type: 'code' and clientSecret requirements for API access tokens, and add new sections covering refresh tokens, claim-based authorization, fetchUserInfo(), and common troubleshooting entries.

Changes

Auth0 Express Skill Documentation

Layer / File(s)	Summary
authRequired default corrections plugins/auth0/skills/auth0-express/SKILL.md, plugins/auth0/skills/auth0-express/references/api.md	Corrects authRequired default from false to true in the SKILL.md quick reference and inline comments; inserts a note about omission behavior and requiresAuth() usage; aligns the api.md authRequired comment with the corrected default.
Expanded req.oidc and authorization helpers reference plugins/auth0/skills/auth0-express/SKILL.md	Adds idTokenClaims, refreshToken, and fetchUserInfo() to the req.oidc properties list; replaces the narrow authorization helpers list with requiresAuth, claimEquals, claimIncludes, and claimCheck.
API access token: response_type and clientSecret guidance plugins/auth0/skills/auth0-express/references/api.md	Adds a note requiring response_type: 'code' for API access tokens; updates middleware config examples with clientSecret and authorizationParams.response_type; adds a new "Response Type Options" section contrasting authorization code vs implicit flow; extends the Common Issues table with a "No access token for API" entry.
Refresh tokens, claim-based auth, and fetchUserInfo plugins/auth0/skills/auth0-express/references/integration.md	Adds offline_access/refresh token guidance with isExpired() and refresh() examples; introduces claim-based route protection using claimEquals, claimIncludes, and custom claimCheck callbacks; adds a fetchUserInfo() section with a /userinfo route example and error handling.
Common Issues table additions plugins/auth0/skills/auth0-express/references/integration.md	Appends "Redirect loop" (with authRequired: false guidance) and "Callback URL mismatch" rows to the troubleshooting table.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• auth0/agent-skills#124: Modifies references/integration.md and related docs to clarify authorizationParams requirements and how API access tokens are exposed via req.oidc.accessToken, directly overlapping with the access token and authorizationParams guidance updated in this PR.

Poem

🐇 Hop hop, the docs are clear at last,
authRequired: true — that's the default cast!
With response_type: 'code' for tokens galore,
And claimEquals, fetchUserInfo — so much more.
The rabbit refreshed each stale little line,
Now the Auth0 Express skill docs truly shine! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: improving documentation for authRequired behavior and middleware in the auth0-express skill.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-express

Warning

Review ran into problems

🔥 Problems

Stopped waiting for pipeline failures after 30000ms. One of your pipelines takes longer than our 30000ms fetch window to run, so review may not consider pipeline-failure results for inline comments if any failures occurred after the fetch window. Increase the timeout if you want to wait longer or run a @coderabbit review after the pipeline has finished.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/auth0/skills/auth0-express/references/api.md`:
- Around line 207-248: The Authorization Code Flow section's code example with
response_type: 'code' is incomplete regarding refresh token availability. Update
the code example in the Authorization Code Flow section to include the scope
parameter in authorizationParams, explicitly adding the 'offline_access' scope.
This scope is required to request and receive refresh tokens from Auth0 and
should be combined with other standard scopes like 'openid profile email' to
demonstrate a complete and correct configuration.

In `@plugins/auth0/skills/auth0-express/references/integration.md`:
- Around line 174-196: Add clarification to the code example showing automatic
token refresh to document that the offline_access scope must be included during
initial authentication for the refresh() method to work properly. This note
should be placed before or within the code example to make it clear that without
the offline_access scope, the refresh token will not be available and the
refresh() method cannot successfully obtain a new access token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: a5fc7ed9-b813-4ad3-90be-69acbae26316

📥 Commits

Reviewing files that changed from the base of the PR and between fcc4f20 and 5459b8b.

📒 Files selected for processing (3)

• plugins/auth0/skills/auth0-express/SKILL.md
• plugins/auth0/skills/auth0-express/references/api.md
• plugins/auth0/skills/auth0-express/references/integration.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

What is the default response_type in express-openid-connect if authorizationParams.response_type is not specified?

💡 Result:

In the express-openid-connect library, the default value for response_type within authorizationParams is 'id_token' [1][2]. When authorizationParams is not explicitly provided by your application, the library defaults the entire object to [1][3]: { response_type: 'id_token', response_mode: 'form_post', scope: 'openid profile email' } This configuration uses the Implicit Flow [4][2]. If you override authorizationParams and specify a different response_type (such as 'code'), you are responsible for ensuring that all other required parameters, such as the appropriate scope and response_mode, are correctly set [1][2].

Citations:

• 1: https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html
• 2: https://deepwiki.com/auth0/express-openid-connect/4.3-authentication-parameters
• 3: https://github.com/auth0/express-openid-connect/blob/4824f378/index.d.ts
• 4: https://auth0.com/blog/auth0-s-express-openid-connect-sdk/

---

🌐 Web query:

express-openid-connect authorization code flow refresh tokens

💡 Result:

The express-openid-connect middleware supports refresh tokens within the Authorization Code flow [1][2]. To utilize them, you must configure your application to request the offline_access scope [3][4][2]. Configuration Requirements: 1. Authorization Code Flow: You must set authorizationParams.response_type to 'code' (or 'code id_token') in your configuration [4][2]. This requires a clientSecret to be provided [3][5][2]. 2. Scope: You must include 'offline_access' in your authorizationParams.scope [3][2]. Once these conditions are met, the middleware will store the refresh token in the session [2][6]. You can access it via req.oidc.refreshToken [7][6]. Token Refresh Process: To refresh an expired access token, you should use the refresh method available on the req.oidc.accessToken object [4][8]. Example Usage: app.get('/', async (req, res) => { let { access_token, isExpired, refresh } = req.oidc.accessToken; if (isExpired) { ({ access_token } = await refresh); } // Proceed with authorized API call using the (possibly refreshed) access_token }); The refresh method performs the following steps: 1. Validates that a refresh token is available [4][6]. 2. Calls the Identity Provider's token endpoint to exchange the refresh token for new tokens [4][2][6]. 3. Automatically updates the user's session with the new access token and any other received tokens (e.g., new refresh token or ID token) [4][2][6]. 4. Returns the new AccessToken object [5][8][6]. If the authorization server does not return a new refresh token, the existing one is preserved in the session for future use [2][6].

Citations:

• 1: https://deepwiki.com/auth0/express-openid-connect/5-authentication-flows
• 2: https://deepwiki.com/auth0/express-openid-connect/8-token-management
• 3: https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md
• 4: https://deepwiki.com/auth0/express-openid-connect/8.2-token-refresh
• 5: https://deepwiki.com/auth0/express-openid-connect/8.3-calling-external-apis
• 6: https://deepwiki.com/auth0/express-openid-connect/3.2-request-and-response-contexts
• 7: https://auth0.github.io/express-openid-connect/interfaces/RequestContext.html
• 8: https://auth0.github.io/express-openid-connect/interfaces/AccessToken.html

---

🌐 Web query:

express-openid-connect response_type code access token configuration

💡 Result:

To configure express-openid-connect to obtain an access token, you must use the Authorization Code flow by setting the response_type to 'code' within the authorizationParams of your middleware configuration [1][2][3]. Key requirements for this configuration include: 1. Response Type: You must set authorizationParams.response_type to 'code' (or 'code id_token') [4][3][5]. The default configuration uses 'id_token', which does not provide an access token [1][4]. 2. Audience: You must specify an audience parameter in authorizationParams to identify the target API for which the access token is requested [1][6][3]. 3. Scope: Your scope must include 'openid' along with any required API-specific permissions [1][6][3]. Including 'offline_access' in the scope will also allow you to obtain a refresh token [2][6][5]. 4. Client Secret: Using 'code' as the response_type requires you to provide a valid client secret in your main configuration [2][7][3]. Example configuration: app.use( auth({ authorizationParams: { response_type: 'code', audience: 'https://your-api-identifier', scope: 'openid profile email read:reports', }, // Ensure clientSecret is provided in your environment or config })); Once configured, the access token is automatically made available on the request context as req.oidc.accessToken [2][3][5]. You can access it in your routes as follows: app.get('/api-call', requiresAuth, async (req, res) => { const { token_type, access_token } = req.oidc.accessToken; // Use access_token to call your API }); If you include 'offline_access' in your scope, you can also access a refresh method on the req.oidc.accessToken object to obtain new access tokens when the current one expires [2][7][5].

Citations:

• 1: https://auth0.github.io/express-openid-connect/interfaces/ConfigParams.html
• 2: https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md
• 3: https://deepwiki.com/auth0/express-openid-connect/8.3-calling-external-apis
• 4: https://deepwiki.com/auth0/express-openid-connect/4.3-authentication-parameters
• 5: https://deepwiki.com/auth0/express-openid-connect/8-token-management
• 6: https://github.com/auth0/agent-skills/blob/main/plugins/auth0/skills/auth0-express/references/integration.md
• 7: https://github.com/auth0/express-openid-connect/blob/4824f378/EXAMPLES.md

---

Add offline_access scope requirement to Authorization Code Flow section.

The documentation correctly identifies the default response_type as 'id_token' and accurately describes the authorization code flow benefits. However, the Authorization Code Flow section (lines 207–220) incompletely describes refresh token availability. Refresh tokens are not automatically provided with response_type: 'code'—the 'offline_access' scope must be explicitly included in authorizationParams.scope to request and receive a refresh token.

Update the code example to demonstrate the complete configuration:

app.use(auth({
  authorizationParams: {
    response_type: 'code',
    scope: 'openid profile email offline_access'  // offline_access required for refresh token
  },
  clientSecret: process.env.CLIENT_SECRET
}));

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/auth0/skills/auth0-express/references/api.md` around lines 207 - 248,
The Authorization Code Flow section's code example with response_type: 'code' is
incomplete regarding refresh token availability. Update the code example in the
Authorization Code Flow section to include the scope parameter in
authorizationParams, explicitly adding the 'offline_access' scope. This scope is
required to request and receive refresh tokens from Auth0 and should be combined
with other standard scopes like 'openid profile email' to demonstrate a complete
and correct configuration.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

In express-openid-connect, are isExpired() and refresh() callable methods on the accessToken object? What does refresh() return?

💡 Result:

Yes, isExpired and refresh are both callable methods on the accessToken object in express-openid-connect [1][2]. isExpired: This method returns a boolean value (true if the access token has expired, false otherwise) [1][2]. It internally delegates to the underlying openid-client library's check of the access token's expiration timestamp [3][4]. refresh: This method performs a refresh token grant exchange with the identity provider and updates the session with the new tokens [1][3]. It returns a Promise that resolves to the new AccessToken object [1][2]. When called, it updates the session's access token, preserves relevant data like the ID token or refresh token if not returned, and clears the cached TokenSet to ensure the updated information is used subsequently [3][4]. Note that for this method to be functional, a refresh token must have been obtained during the initial authentication (typically by including the offline_access scope) [3][4][5].

Citations:

• 1: https://auth0.github.io/express-openid-connect/interfaces/AccessToken.html
• 2: https://github.com/auth0/express-openid-connect/blob/master/index.d.ts
• 3: https://deepwiki.com/auth0/express-openid-connect/8.2-token-refresh
• 4: https://deepwiki.com/auth0/express-openid-connect/8-token-management
• 5: https://auth0.com/docs/quickstart/webapp/express

---

Add a note about the offline_access scope requirement.

The isExpired() and refresh() methods are correctly documented as callable methods on the accessToken object, and refresh() correctly returns a Promise that resolves to an AccessToken object with the access_token property. However, the code example omits a critical prerequisite: the refresh token is only available if the offline_access scope was included during initial authentication. Update the example to clarify this requirement.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/auth0/skills/auth0-express/references/integration.md` around lines
174 - 196, Add clarification to the code example showing automatic token refresh
to document that the offline_access scope must be included during initial
authentication for the refresh() method to work properly. This note should be
placed before or within the code example to make it clear that without the
offline_access scope, the refresh token will not be available and the refresh()
method cannot successfully obtain a new access token.