chore(docs): add support for backchannel authentication

Author: guabu

EXAMPLES.md

@@ -32,6 +32,7 @@
 - [Cookie Configuration](#cookie-configuration)
 - [Transaction Cookie Configuration](#transaction-cookie-configuration)
 - [Database sessions](#database-sessions)
+- [Back-Channel Authentication](#back-channel-authentication)
 - [Back-Channel Logout](#back-channel-logout)
 - [Combining middleware](#combining-middleware)
 - [ID Token claims and the user object](#id-token-claims-and-the-user-object)
@@ -48,8 +49,8 @@
   - [On the server (Pages Router)](#on-the-server-pages-router-3)
   - [Middleware](#middleware-3)
 - [Customizing Auth Handlers](#customizing-auth-handlers)
-    - [Run custom code before Auth Handlers](#run-custom-code-before-auth-handlers)
-    - [Run code after callback](#run-code-after-callback)
+  - [Run custom code before Auth Handlers](#run-custom-code-before-auth-handlers)
+  - [Run code after callback](#run-code-after-callback)
 
 ## Passing authorization parameters
 
@@ -965,6 +966,7 @@ export const auth0 = new Auth0Client({
 ## Transaction Cookie Configuration
 
 ### Customizing Transaction Cookie Expiration
+
 You can configure transaction cookies expiration by providing a `maxAge` proeprty for `transactionCookie`.
 
 ```ts
@@ -975,11 +977,13 @@ export const auth0 = new Auth0Client({
   },
 }
 ```
+
 Transaction cookies are used to maintain state during authentication flows. The SDK provides several configuration options to manage transaction cookie behavior and prevent cookie accumulation issues.
 
 ### Transaction Management Modes
 
 **Parallel Transactions (Default)**
+
 ```ts
 const authClient = new Auth0Client({
   enableParallelTransactions: true // Default: allows multiple concurrent logins
@@ -988,6 +992,7 @@ const authClient = new Auth0Client({
 ```
 
 **Single Transaction Mode**
+
 ```ts
 const authClient = new Auth0Client({
   enableParallelTransactions: false // Only one active transaction at a time
@@ -996,25 +1001,27 @@ const authClient = new Auth0Client({
 ```
 
 **Use Parallel Transactions (Default) When:**
+
 - Users might open multiple tabs and attempt to log in simultaneously
 - You want maximum compatibility with typical user behavior
 - Your application supports multiple concurrent authentication flows
 
 **Use Single Transaction Mode When:**
+
 - You want to prevent cookie accumulation issues in applications with frequent login attempts
 - You prefer simpler transaction management
 - Users typically don't need multiple concurrent login flows
 - You're experiencing cookie header size limits due to abandoned transaction cookies edge cases
 
 ### Transaction Cookie Options
 
-| Option                     | Type                              | Description                                                                                                                                                                                                     |
-| -------------------------- | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| cookieOptions.maxAge       | `number`                          | The expiration time for transaction cookies in seconds. Defaults to `3600` (1 hour). After this time, abandoned transaction cookies will expire automatically.                                                 |
-| cookieOptions.prefix       | `string`                          | The prefix for transaction cookie names. Defaults to `__txn_`. In parallel mode, cookies are named `__txn_{state}`. In single mode, just `__txn_`.                                                           |
-| cookieOptions.sameSite     | `"strict" \| "lax" \| "none"`     | Controls when the cookie is sent with cross-site requests. Defaults to `"lax"`.                                                                                                                                |
-| cookieOptions.secure       | `boolean`                         | When `true`, the cookie will only be sent over HTTPS connections. Automatically determined based on your application's base URL protocol if not specified.                                                     |
-| cookieOptions.path         | `string`                          | Specifies the URL path for which the cookie is valid. Defaults to `"/"`.                                                                                                                                       |
+| Option                 | Type                          | Description                                                                                                                                                    |
+| ---------------------- | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| cookieOptions.maxAge   | `number`                      | The expiration time for transaction cookies in seconds. Defaults to `3600` (1 hour). After this time, abandoned transaction cookies will expire automatically. |
+| cookieOptions.prefix   | `string`                      | The prefix for transaction cookie names. Defaults to `__txn_`. In parallel mode, cookies are named `__txn_{state}`. In single mode, just `__txn_`.             |
+| cookieOptions.sameSite | `"strict" \| "lax" \| "none"` | Controls when the cookie is sent with cross-site requests. Defaults to `"lax"`.                                                                                |
+| cookieOptions.secure   | `boolean`                     | When `true`, the cookie will only be sent over HTTPS connections. Automatically determined based on your application's base URL protocol if not specified.     |
+| cookieOptions.path     | `string`                      | Specifies the URL path for which the cookie is valid. Defaults to `"/"`.                                                                                       |
 
 ## Database sessions
 
@@ -1041,6 +1048,28 @@ export const auth0 = new Auth0Client({
 });
 ```
 
+## Using Client-Initiated Backchannel Authentication
+
+Using Client-Initiated Backchannel Authentication can be done by calling `backchannelAuthentication()`:
+
+```ts
+import { auth0 } from "@/lib/auth0";
+
+const tokenResponse = await auth0.backchannelAuthentication({
+  bindingMessage: "",
+  loginHint: {
+    sub: "auth0|123456789"
+  }
+});
+```
+
+- `bindingMessage`: A human-readable message to be displayed at the consumption device and authentication device. This allows the user to ensure the transaction initiated by the consumption device is the same that triggers the action on the authentication device.
+- `loginHint.sub`: The `sub` claim of the user that is trying to login using Client-Initiated Backchannel Authentication, and to which a push notification to authorize the login will be sent.
+
+> [!IMPORTANT]  
+> Using Client-Initiated Backchannel Authentication requires the feature to be enabled in the Auth0 dashboard.
+> Read [the Auth0 docs](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow) to learn more about Client-Initiated Backchannel Authentication.
+
 ## Back-Channel Logout
 
 The SDK can be configured to listen to [Back-Channel Logout](https://auth0.com/docs/authenticate/login/logout/back-channel-logout) events. By default, a route will be mounted `/auth/backchannel-logout` which will verify the logout token and call the `deleteByLogoutToken` method of your session store implementation to allow you to remove the session.
@@ -1402,6 +1431,7 @@ export async function middleware(request: NextRequest) {
 Authentication routes (`/auth/login`, `/auth/logout`, `/auth/callback`) are handled automatically by the middleware. You can intercept these routes in your middleware to run custom logic before the auth handlers execute.
 
 This approach allows you to:
+
 - Run custom code before authentication actions (logging, analytics, validation)
 - Modify the response (set cookies, headers, etc.)
 - Implement custom redirects or early returns when needed
@@ -1413,48 +1443,49 @@ The middleware-based approach provides the same level of control as v3's custom
 ### Run custom code before Auth Handlers
 
 Following example shows how to run custom logic before the response of `logout` handler is returned:
+
 ```ts
 export async function middleware(request) {
+  // prepare NextResponse object from auth0 middleware
+  const authRes = await auth0.middleware(request);
 
-    // prepare NextResponse object from auth0 middleware
-    const authRes = await auth0.middleware(request);
-
-    // The following interceptUrls can be used:
-    //    "/auth/login" : intercept login auth handler
-    //    "/auth/logout" : intercept logout auth handler
-    //    "/auth/callback" : intercept callback auth handler
-    //    "/your/login/returnTo/url" : intercept redirect after login, this is the login returnTo url
-    //    "/your/logout/returnTo/url" : intercept redirect after logout, this is the logout returnTo url
-
-    const interceptUrl = "/auth/logout";
-    
-    // intercept auth handler
-    if (request.nextUrl.pathname === interceptUrl) {
-        // do custom stuff
-        console.log("Pre-logout code")
-
-        // Example: Set a cookie
-        authRes.cookies.set('myCustomCookie', 'cookieValue', { path: '/' });
-        // Example: Set another cookie with options
-        authRes.cookies.set({
-            name: 'anotherCookie',
-            value: 'anotherValue',
-            httpOnly: true,
-            path: '/',
-        });
-
-        // Example: Delete a cookie
-        // authRes.cookies.delete('cookieNameToDelete');
-
-        // you can also do an early return here with your own NextResponse object
-        // return NextResponse.redirect(new URL('/custom-logout-page'));
-    }
+  // The following interceptUrls can be used:
+  //    "/auth/login" : intercept login auth handler
+  //    "/auth/logout" : intercept logout auth handler
+  //    "/auth/callback" : intercept callback auth handler
+  //    "/your/login/returnTo/url" : intercept redirect after login, this is the login returnTo url
+  //    "/your/logout/returnTo/url" : intercept redirect after logout, this is the logout returnTo url
+
+  const interceptUrl = "/auth/logout";
+
+  // intercept auth handler
+  if (request.nextUrl.pathname === interceptUrl) {
+    // do custom stuff
+    console.log("Pre-logout code");
+
+    // Example: Set a cookie
+    authRes.cookies.set("myCustomCookie", "cookieValue", { path: "/" });
+    // Example: Set another cookie with options
+    authRes.cookies.set({
+      name: "anotherCookie",
+      value: "anotherValue",
+      httpOnly: true,
+      path: "/"
+    });
 
-    // return the original auth0-handled NextResponse object
-    return authRes
+    // Example: Delete a cookie
+    // authRes.cookies.delete('cookieNameToDelete');
+
+    // you can also do an early return here with your own NextResponse object
+    // return NextResponse.redirect(new URL('/custom-logout-page'));
+  }
+
+  // return the original auth0-handled NextResponse object
+  return authRes;
 }
 ```
 
 ### Run code after callback
-Please refer to [onCallback](https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#oncallback) 
-for details on how to run code after callback.
+
+Please refer to [onCallback](https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#oncallback)
+for details on how to run code after callback.

src/server/client.ts

@@ -744,7 +744,7 @@ export class Auth0Client {
    * Using Client-Initiated Backchannel Authentication requires the feature to be enabled in the Auth0 dashboard.
    * @see https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow
    */
-  async backchannelLogin(options: BackchannelAuthenticationOptions) {
+  async backchannelAuthentication(options: BackchannelAuthenticationOptions) {
     const [error, response] =
       await this.authClient.backchannelAuthentication(options);