Authorization Code Flow
Authenticate using OpenIDConnect to another Auth0 Tenant (Deprecated)
You can use an application on one Auth0 tenant (referred to below as the OIDC Provider tenant) as an identity provider in another Auth0 tenant (the Relying Party tenant).
How it works
Configure the OIDC Provider Auth0 Tenant
- Create an Application or edit an existing one. Set the application type to Regular Web App.
- Take note of your application's Client ID and Client Secret. You will need these to create the connection in the Relying Party tenant.
- Add the Relying Party tenant's login Refresh Tokencallback to the list of Allowed Callback URLs:
Find your Auth0 domain name for redirects
If your Auth0 domain name is not shown above and you are not using our custom domains feature, your domain name is your tenant name, plus
.auth0.com. For example, if your tenant name were
exampleco-enterprises, your Auth0 domain name would be
exampleco-enterprises.auth0.com and your redirect URI would be
If you are using custom domains, your redirect URI will have the following format:
https://<YOUR CUSTOM DOMAIN>/login/callback.
Make sure that the OIDC-Conformant toggle in the OAuth tab under the application's Advance Settings is turned off.
Make sure that the tenant has the Legacy User Profile toggle enabled under the Migrations section of the Tenant Advanced Settings. If you don't see this toggle for your tenant, please open a support case to request this feature to be enabled.
How to implement it
Configure the Relying Party Auth0 Tenant
The Auth0-to-Auth0 connection is not yet supported in the Dashboard. You need to create the connection using the Create a connection endpoint, which will require an Management API V2 token with
Here is a sample request:
with the auth0-oidc-connection.json file containing:
The required parameters for this connection are:
|name||How the connection will be referenced in Auth0 or in your app|
|strategy||Defines the protocol implemented by the provider. This should always be
|options.domain||The domain of the OIDC Provider Auth0 tenant|
|The scope parameters for which you wish to request consent (such as
|An array containing the identifiers of the applications for which the connection is to be enabled. If the array is empty or the property is not specified, no applications are enabled|
Use the Auth0 connection
A direct link would look like:
The user will be redirected to the built-in login page of the OIDC Provider Auth0 tenant where they can choose their identity provider (from the enabled connections of the target Application) and enter their credentials.
The resulting profile
Once the user is authenticated, the resulting profile will contain the Normalized User Profile fields. For example:
Note that the generated
user_id has the following format:
The Access Token is the JWT of the user in the OIDC Provider Auth0 connection. If you decode it, you will see all the properties that were requested in the
scope of the auth0-oidc connection. For example, for
scope=openid email will return: