Authentication lacks documentation. Its difficult to implement and many of the implementation guides are unclear about what should be configured and what should remain untouched. This seems to be a general trend in npm packages. They will often reference app.[object] which is reasonable. The 'app' is clear, but then they will extend the same phrasing to everything else and assume that you will understand which is part of the app and which needs configuring.