Auth0 Grant Types Mapping
When registered, Auth0 Applications have access to different grant types based on application type. The biggest deciding factor is whether the application is confidential or public.
Additionally, trusted first-party applications have access to additional grant types.
Public Applications
When a Native App or Single-Page App is registered in the Dashboard, it is automatically flagged as a public application, which is indicated by a token_endpoint_auth_method
flag set to none
.
By default, Auth0 creates public applications with the following grant_types
enabled:
implicit
authorization_code
refresh_token
Native Apps can also use the device_code
grant type.
Confidential Applications
When a Regular Web App or Machine-to-Machine (M2M) App is registered in the Dashboard, it is automatically flagged as a confidential application, which is indicated by a token_endpoint_auth_method
flag set to anything except none
.
By default, Auth0 creates confidential applications with the following grant_types
enabled:
implicit
authorization_code
refresh_token
client_credentials
Trusted First-Party Applications
Trusted first-party applications have the same grant_types
enabled as confidential applications, plus the following:
password
http://auth0.com/oauth/grant-type/password-realm
http://auth0.com/oauth/grant-type/mfa-oob
http://auth0.com/oauth/grant-type/mfa-otp
http://auth0.com/oauth/grant-type/mfa-recovery-code
For more info about first-party and third-party applications, see Application Types: First-party vs. Third-party.