Delegation and the OIDC-conformant pipeline
This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.
Delegation is used for many operations, depending on your particular use case:
- Exchanging an ID token issued to one client for a new one issued to a different client
- Using a refresh token to obtain a fresh ID token
- Exchanging an ID token for a third-party API token, such as Firebase or AWS.
Given that ID tokens should no longer be used as API tokens and that refresh tokens should be used only at the token endpoint, this endpoint is now considered deprecated.
Clients marked as OIDC-conformant cannot be the source or target of Auth0-to-Auth0 delegation requests.
Third-party APIs (Firebase, AWS, etc.)
At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.
- Calling your APIs with Auth0 tokens
- User consent and third-party clients
- Custom user profile claims and
- Single sign-on (SSO)
- Initiating authentication flows:
- Refresh tokens
- Delegation (deprecated)
- Passwordless authentication (unsupported)
- List of breaking changes for OIDC-conformant clients