Overview
Key Concepts
- Auth0 supports the OAuth 2.0 protocol drafted by the Internet Engineering Task Force (IETF).
- Read about roles, grant types (or workflows), and endpoints from the OAuth 2.0 spec.
Roles
An OAuth 2.0 flow has the following roles:- Resource Owner: Entity that can grant access to a protected resource. Typically, this is the end-user.
- Resource Server: Server hosting the protected resources. This is the API you want to access.
- Client: Application requesting access to a protected resource on behalf of the Resource Owner.
- Authorization Server: Server that authenticates the Resource Owner and issues access tokens after getting proper authorization. In this case, Auth0.
Grant types
OAuth 2.0 defines four flows to get an access token. These flows are called grant types. Deciding which one is suited for your case depends mostly on your application type.- Authorization Code Flow: used by Web Apps executing on a server. This is also used by mobile apps, using the Proof Key for Code Exchange (PKCE) technique.
- Implicit Flow with Form Post: used by JavaScript-centric apps (Single-Page Applications) executing on the user’s browser.
- Resource Owner Password Flow: used by highly-trusted apps.
- Client Credentials Flow: used for machine-to-machine communication.
Endpoints
OAuth 2.0 uses two endpoints: the/authorize endpoint and the /oauth/token endpoint.
Authorization endpoint
The/authorize endpoint is used to interact with the resource owner and get the authorization to access the protected resource. To better understand this, imagine that you want to log in to a service using your Google account. First, the service redirects you to Google in order to authenticate (if you are not already logged in) and then you will get a consent screen, where you will be asked to authorize the service to access some of your data (protected resources); for example, your email address and your list of contacts.
The request parameters of the /authorize endpoint are:
You can configure custom query parameters when your application makes the initial call to the
/authorize endpoint to authenticate a user. You can use custom query parameters to provide additional context to the page template for the experience.
You must enable ID First to use the connection parameter. For more information on the connection parameter and the Universal Login experience, review Passwordless for Universal Login.
Query parameters prefixed with ext- automatically appear in the page template context.
This endpoint is used by the Authorization Code and the Implicit grant types. The authorization server needs to know which grant type the application wants to use since it affects the kind of credential it will issue:
- For the Authorization Code grant, it will issue an authorization code (which can later be exchanged for an access token at the
/oauth/tokenendpoint). - For the Implicit grant, it will issue an access token, which is an opaque string (or a in an Auth0 implementation) that denotes who has authorized which permissions (scopes) to which application.
response_type request parameter is used as follows:
- For the Authorization Code grant, use
response_type=codeto include the authorization code. - For the Implicit grant, use
response_type=tokento include an access token. An alternative is to useresponse_type=id_token tokento include both an access token and an .
response_mode. It is optional and can take the following values:
Token endpoint
The/oauth/token endpoint is used by the application in order to get an access token or a . It is used by all flows except for the Implicit Flow because in that case an access token is issued directly.
- In the Authorization Code Flow, the application exchanges the authorization code it got from the authorization endpoint for an access token.
- In the Client Credentials Flow and Resource Owner Password Credentials Grant Exchange, the application authenticates using a set of credentials and then gets an access token.
State parameters
Authorization protocols provide astate parameter that allows you to restore the previous state of your application. The state parameter preserves some state object set by the client in the Authorization request and makes it available to the client in the response. The primary reason for using the state parameter is to mitigate CSRF attacks. See Use OAuth 2.0 State Parameters for details.