Delegation and the OIDC-conformant pipeline

Delegation is a deprecated feature. The functionality will continue to work for the customers that currently have it enabled. If at some point the delegation feature is changed or removed from service, customers who currently use it will be notified beforehand and given ample time to migrate.

Adoption Guide

This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.

Delegation is used for many operations, depending on your particular use case:

  • Exchanging an ID Token issued to one application for a new one issued to a different application
  • Using a Refresh Token to obtain a fresh ID Token
  • Exchanging an ID Token for a third-party API token, such as Firebase or AWS.

Given that ID Tokens should no longer be used as API tokens and that Refresh Tokens should be used only at the token endpoint, this endpoint is now considered deprecated.

Applications marked as OIDC-conformant cannot be the source or target of Auth0-to-Auth0 delegation requests.

Third-party APIs (such as Firebase or AWS)

At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.

Further reading