Application Grant Types

Application Grant Types

Application grant types (or flows) are methods through which applications can gain Access Tokens and by which you grant limited access to your resources to another entity without exposing credentials. The OAuth 2.0 protocol supports several types of grants, which allow different types of access.

Based on the needs of your application, some grant types are more appropriate than others. Auth0 provides many different authentication and authorization flows and allows you to indicate which grant types are appropriate based on the grant_types property of your Auth0-registered Application.

For example, let's say you are securing a mobile app. In this case, you'd use the Authorization Code Flow with Proof Key for Code Exchange (PKCE).

Alternatively, if you were securing a client-side app (such as a single-page app) and weren't passing tokens between servers, you might use the Implicit Flow with Form Post.

Various grant types are valid when registering Auth0 Applications. These can be divided into the following categories:

  • Spec-conforming grants: Grants defined by and conforming to external specifications (such as OpenID Connect (OIDC)).

  • Auth0 extension grants: Auth0-specific grants that conform to the OAuth extension mechanism to support additional clients or to provide a bridge between OAuth and other trust frameworks.

  • Auth0 legacy grants: Traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

Available grant types

Spec-conforming grants

Grant Type Description
implicit Implicit Grant
authorization_code Authorization Code Grant
client_credentials Client Credentials Grant
password Resource Owner Password Grant
refresh_token Use Refresh Tokens
urn:ietf:params:oauth:grant-type:device_code Device Authorization Grant

Auth0 extension grants

Grant Type Description
http://auth0.com/oauth/grant-type/password-realm Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm
http://auth0.com/oauth/grant-type/mfa-oob Multi-factor Authentication OOB Grant Request
http://auth0.com/oauth/grant-type/mfa-otp Multi-factor Authentication OTP Grant Request
http://auth0.com/oauth/grant-type/mfa-recovery-code Multi-factor Authentication Recovery Grant Request
http://auth0.com/oauth/grant-type/passwordless/otp Embedded Passwordless Login Grant Request

Auth0 legacy grants

Legacy grants include:

  • http://auth0.com/oauth/legacy/grant-type/ro

  • http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer

  • http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token

  • http://auth0.com/oauth/legacy/grant-type/delegation/id_token

  • http://auth0.com/oauth/legacy/grant-type/access_token

Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

As of 08 June 2017, all Auth0 Applications were given a grant_types property that must be populated. To avoid changes in functionality for Auth0 customers at that time, we populated the grant_types property for all existing Applications with all Auth0 legacy, Auth0 extension, and specification-conforming grant types.

At this time, new Auth0 customers were no longer able to add legacy grant types to their applications. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. If you were a customer prior to 8 June 2017, you can use the Dashboard or use the Management API to enable a legacy grant type.

If you're currently using a legacy grant type, refer to the chart below to see which of the secure alternatives you should use instead. If you are implementing Passwordless Authentication should use Universal Login instead of the oauth/ro endpoint.

Grant type mapping

When registered, Auth0 Applications have access to different grant types based on application type. The biggest deciding factor is whether the application is confidential or public. Additionally, trusted first-party applications have access to additional grant types.

Public applications

When a Native App or Single-Page App is registered in the Dashboard, it is automatically flagged as a public application, which is indicated by a token_endpoint_auth_method flag set to none. By default, Auth0 creates public applications with the following grant_types enabled:

  • implicit

  • authorization_code

  • refresh_token

Native Apps can also use the device_code grant type.

Public applications cannot use the client_credentials grant type. To use this grant type, you must indicate that the application is confidential rather than public. Use the Management API to set the token_endpoint_auth_method to client_secret_post or client_secret_basic.

Confidential applications

When a Regular Web App or Machine-to-Machine (M2M) App is registered in the Dashboard, it is automatically flagged as a confidential application, which is indicated by a token_endpoint_auth_method flag set to anything except none. By default, Auth0 creates confidential applications with the following grant_types enabled:

  • implicit

  • authorization_code

  • refresh_token

  • client_credentials

Trusted first-party applications

Trusted first-party applications have the same grant_types enabled as confidential applications, plus the following:

  • password

  • http://auth0.com/oauth/grant-type/password-realm

  • http://auth0.com/oauth/grant-type/mfa-oob

  • http://auth0.com/oauth/grant-type/mfa-otp

  • http://auth0.com/oauth/grant-type/mfa-recovery-code

If you are using the Dashboard to enable or disable these grant types, be aware that all the Password and MFA grant types are enabled when you add the Password or MFA grant type to your Application. You cannot select them individually.

Learn more