Delegation and the OIDC-conformant pipeline

By default, delegation is disabled for tenants without an add-on in use as of 8 June 2017. Legacy tenants who currently use an add-on that requires delegation may continue to use this feature. If delegation functionality is changed or removed from service at some point, customers who currently use it will be notified beforehand and given ample time to migrate.

Adoption Guide

This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.

Delegation is used for many operations, depending on your particular use case:

  • Exchanging an ID Token issued to one application for a new one issued to a different application
  • Using a Refresh Token to obtain a fresh ID Token
  • Exchanging an ID Token for a third-party API token, such as Firebase or AWS.

Given that ID Tokens should no longer be used as API tokens and that Refresh Tokens should be used only at the token endpoint, this endpoint is now considered deprecated.

Applications marked as OIDC-conformant cannot be the source or target of Auth0-to-Auth0 delegation requests.

Third-party APIs (such as Firebase or AWS)

At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.

Further reading