Calling APIs from Server-side Web Apps
In order to access an API from a regular web app, you need to implement the Authorization Code OAuth 2.0 grant. In this document we will see how this flow works.
Overview of the flow
The Authorization Code Grant (defined in RFC 6749, section 4.1) is a flow where the browser receives an Authorization Code from Auth0 and sends this to the web app. The web app will then interact with Auth0 and exchange the Authorization Code for an access_token, and optionally an id_token and a refresh_token. The web app can now use this
access_token to call the API on behalf of the user.
The web app initiates the flow and redirects the browser to Auth0 (specifically to the /authorize endpoint), so the user can authenticate.
Auth0 authenticates the user (via the browser). The first time the user goes through this flow a consent page will be shown where the permissions are listed that will be given to the Client (for example: post messages, list contacts, and so forth).
Auth0 redirects the user to the web app (specifically to the
redirect_uri, as specified in the /authorize request) with an Authorization Code in the querystring (
The web app sends the Authorization Code to Auth0 and asks to exchange it with an
access_token(and optionally an
refresh_token). This is done using the /oauth/token endpoint. When making this request, the web app authenticates with Auth0, using the Client Id and Client Secret.
Auth0 authenticates the web app, validates the Authorization Code and responds back with the token.
The web app can use the
access_tokento call the API on behalf of the user.
NOTE: In OAuth 2.0 terms, the web app is the Client, the end user the Resource Owner, the API the Resource Server, the browser the User Agent, and Auth0 the Authorization Server.
How to implement the flow
For details on how to implement this using Auth0, refer to Executing an Authorization Code Grant flow.
Rules will run for the Authorization Code grant. If you wish to execute special logic unique to the Authorization Code grant, you can look at the
context.protocol property in your rule. If the value is
oidc-basic-profile, then the rule is running during the Authorization Code grant.
For details on how to implement this, refer to Execute an Authorization Code Grant Flow: Customize the Tokens.
- How to implement an Authorization Code Grant flow
- How to configure an API in Auth0
- Why you should always use access tokens to secure an API
- Web App Quickstarts
- Client Authentication for Server-side Web Apps
- Authentication API: GET /authorize
- Authentication API: POST /oauth/token
- The OAuth 2.0 protocol
- The OpenID Connect protocol
- Tokens used by Auth0
- Integrating a Web App with Auth0
- RFC 6749