Docs

Authorization Code grant

Adoption Guide

This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.

The Authorization Code Grant is used by server-side applications that are capable of securely storing secrets, or by native applications through PKCE. This document describes the differences of this flow between the legacy and OIDC-conformant authentication pipelines.

Authentication request

  • favorite_color is no longer a valid scope value.
  • The device parameter is removed.
  • The audience parameter is optional.

Authentication response

The response from Auth0 is identical in both pipelines:

Code exchange request

An authorization code can be exchanged in the same way in both pipelines:




Code exchange response

  • The returned Access Token is only valid for calling the /userinfo endpoint.
  • A Refresh Token will be returned only if a device parameter was passed and the offline_access scope was requested.
  • The returned Access Token is valid for optionally calling the API specified in the audience parameter and the /userinfo endpoint (provided that the API uses RS256 as the signing algorithm and openid is used as a scope parameter). If you are not implementing your own Resource Server (API), then you can use https://{$account.namespace}/userinfo as the audience parameter, which will return an opaque Access Token.
  • A Refresh Token will be returned only if the offline_access scope was granted.

ID Token structure

  • The favorite_color claim must be namespaced and added through a rule.

Access Token structure (optional)

  • The returned Access Token is valid for optionally calling the API specified in the audience parameter and the /userinfo endpoint (provided that the API uses RS256 as the signing algorithm and openid is used as a scope parameter). If you are not implementing your own Resource Server (API), then you can use https://{$account.namespace}/userinfo as the audience parameter, which will return an opaque Access Token.

Further reading