Access Tokens with OIDC

Because applications and APIs (resources) are defined as separate Auth0 entities with the OIDC-conformant pipeline, you can get access tokens for your APIs. Consequently, all APIs should be secured with access tokens instead of ID tokens. To learn more, read Access Tokens and ID Tokens.

The OIDC-conformant pipeline standardizes claims that you can add to ID and access tokens.

The OIDC specification defines a set of standard claims about users, such as profile and email, that can be returned in ID tokens or in the response from the /userinfo endpoint.

To learn about the OIDC standard claim specification, read Section 5.1 Standard Claims in the OpenID Specification.

With the OIDC-conformant pipeline, custom claims may still be added to ID tokens or access tokens, but they must conform to a namespaced format to avoid possible collisions with standard OIDC claims.

To learn how to add a custom claim in the OIDC-conformant pipeline, read Create Namespaced Custom Claims.

In the OIDC-conformant pipeline, you can configure your applications in Auth0 to use scopes to request that:

• Standard OIDC claims, such as profile and email, be included in the ID token (if the user consents to provide this information to the application).

• Permissions supported by the API they want to access be included in the access token. For example, you can define your custom API's audience and required scopes, which will allow you to segregate access to different operations within your API.

To learn more, read OpenID Connect Scopes.

• External APIs with OIDC
• Authorization Code Flow with OIDC
• Client Credentials Flow with OIDC
• Delegation with OIDC
• Implicit Flow with OIDC
• Refresh Tokens with OIDC