External APIs with OIDC

With the OIDC-conformant pipeline, you should define applications and APIs (resources) as separate Auth0 entities. Benefits include:

• Simpler API integration: APIs are no longer tied to applications that call them.

• Machine-to-machine (M2M) integration scenarios: Applications can authenticate as themselves (instead of acting on behalf of a user) to programmatically and securely get an Access Token.

Suggested OIDC-conformant solutions for different scenarios include: 

• Multiple applications calling an API under a single client ID: Represent each application with a single Auth0 application, each of which can interact with the API on which the applications depend.

• Exchange tokens obtained by one application for tokens for a different application with delegation: Use a multi-application solution, with each application authenticating to the same resource server.

• Applications do not depend on external APIs; only used to authenticate users: You do not need to define an API as long as ID tokens are:

  • Processed only by the application.

  • Not sent to any external services.

• Access Tokens with OIDC
• Authorization Code Flow with OIDC
• Client Credentials Flow with OIDC
• Delegation with OIDC
• Implicit Flow with OIDC
• Refresh Tokens with OIDC