Client Grant Types

Auth0 provides many authentication and authorization flows to suit your needs. Depending on your use case, you may wish to limit the use of certain flows (or grant types as we will refer to them) for a particular client. This is controlled using the grant_types property that each client has.

Grant Types

Not sure which non-legacy grant type is appropriate for your use case? Refer to Which OAuth 2.0 flow should I use? for help.

The following is a list of grant types valid for Auth0 Clients. There are three possible types of authorization flows:

The following grant_types, are either OIDC-conformant (i.e. their implementation conforms to the OIDC specification) or Auth0 extension grants:

grant_type More info
implicit Implicit Grant
authorization_code Authorization Code Grant
client_credentials Client Credentials Grant
password Resource Owner Password Grant
refresh_token Use a refresh token
http://auth0.com/oauth/grant-type/password-realm Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm
http://auth0.com/oauth/grant-type/mfa-oob Multifactor Authentication OOB Grant Request
http://auth0.com/oauth/grant-type/mfa-otp Multifactor Authentication OTP Grant Request
http://auth0.com/oauth/grant-type/mfa-recovery-code Multifactor Authentication Recovery Grant Request

The following is a list of legacy grant_types:

  • http://auth0.com/oauth/legacy/grant-type/ro
  • http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer
  • http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token
  • http://auth0.com/oauth/legacy/grant-type/delegation/id_token
  • http://auth0.com/oauth/legacy/grant-type/access_token

Edit available grant_types

You can set the the grant_types property for your Auth0 Client using the Management Dashboard.

Begin by navigating to the Clients page of the Management Dashboard.

Auth0 Clients

Click on the cog icon next to the Client you're interested in to launch its settings page.

Auth0 Client Settings

Scroll down to the bottom of the settings page, and click Advanced Settings.

Auth0 Client Advanced Settings

Switch to the Grant Types tab and enable or disable the respective grants for this client. Click Save Changes.

Auth0 Client Grant Types

As of 8 June 2017, new Auth0 customers cannot add any of the legacy grant types to their Clients. Only customers as of 8 June 2017 can add legacy grant types to their existing Clients.

Attempting to use any flow with a client lacking the appropriate grant_types for that flow (or with the field empty) will result in the following error:

Grant type `grant_type` not allowed for the client.

Existing Clients

To avoid changes in functionality for current Auth0 customers, we will populate the grant_types property for all existing Clients as of 8 June 2017 with all Auth0 legacy, Auth0 extension, and specification-conformant grant types.

New Clients

Depending on whether a newly-created Client is public or confidential, the Client will have varying access to grant types.

Public Clients

Public Clients, indicated by the token_endpoint_auth_method flag set to none, are those created in the Dashboard for Native and Single Page Applications.

Token Endpoint Authentication Method

The Token Endpoint Authentication Method defines how a client authenticates against the token endpoint. Its valid values are:

  • None, for a public client without a client secret
  • Post, for a client using HTTP POST parameters
  • Basic, for a client using HTTP Basic parameters

You can find this field at the Client Settings of the Auth0 Dashboard.

By default, Public Clients are created with the following grant_types:

  • implicit
  • authorization_code
  • refresh_token

Public clients cannot utilize the client_credentials grant type. To add this grant type to a Client, set the token_endpoint_auth_method to client_secret_post or client_secret_basic. Either of these will indicate the Client is confidential, not public.

Confidential Clients

Confidential Clients, indicated by the token_endpoint_auth_method flag set to anything except none, are those created in the Dashboard for Regular Web Applications or Non-Interactive Clients. Additionally, any Client where token_endpoint_auth_method is unspecified is confidential. By default, Confidential Clients are created with the following grant_types:

  • implicit;
  • authorization_code;
  • refresh_token;
  • client_credentials.

Trusted First-Party Clients

Trusted first-party clients can additionally use the following grant_types:

  • password
  • http://auth0.com/oauth/grant-type/password-realm
  • http://auth0.com/oauth/grant-type/mfa-oob
  • http://auth0.com/oauth/grant-type/mfa-otp
  • http://auth0.com/oauth/grant-type/mfa-recovery-code

Secure Alternatives to the Legacy Grant Types

Legacy Grant Type Alternative
http://auth0.com/oauth/legacy/grant-type/ro Use the /oauth/token endpoint with a grant type of password. See Resource Owner Password Credentials Exchange and Executing the Resource Owner Password Grant for additional information.
http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.
http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token Use the oauth/token endpoint to obtain refresh tokens. See OIDC-conformant refresh tokens for more info.
http://auth0.com/oauth/legacy/grant-type/delegation/id_token This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.
http://auth0.com/oauth/legacy/grant-type/access_token Use browser-based social authentication.

Those implementing Passwordless Authentication should use hosted login pages instead of the oauth/ro endpoint.

Enable a Legacy Grant Type

Only Auth0 customers as of 8 June 2017 may enable a legacy grant type for existing Clients.

To enable a legacy grant type, you will need to update the grant_types property for you client, so it can be used. For details on how to do so refer to Edit the grant_types Property.

If you are a new customer and you are interested in using a legacy flow, please contact Support for assistance.