Auth0 uses OpenID Connect (OIDC) and OAuth 2.0 to authenticate users and get their authorization to access protected resources. With Auth0, you can easily support different flows in your own applications and APIs without worrying about the OAuth 2.0/OIDC specification or the other technical aspects of authentication and authorization.

We support scenarios for server-side, mobile, desktop, client-side, machine-to-machine, and device applications.

• Authorization Code Flow

  Because regular web apps are server-side apps where the source code is not publicly exposed, they can use the Authorization Code Flow (defined in defined in OAuth 2.0 RFC 6749, section 4.1), which exchanges an Authorization Code for a token.

  • Add Login Using the Authorization Code Flow
  • Call API Using the Authorization Code Flow
• Authorization Code Flow with Proof Key for Code Exchange (PKCE)

  During authentication, mobile/native applications can use the OAuth 2.0 Authorization Code Flow, but they require additional security. To mitigate this, OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE) (defined in OAuth 2.0 RFC 7636).

  • Add Login Using the Authorization Code Flow with PKCE
  • Call API Using the Authorization Code Flow with PKCE
• Implicit Flow

  During authentication, single-page applications (SPAs) have some special requirements. Since the SPA is a public client, it is unable to securely store information such as a Client Secret. As such a special authentication flow exists called the OAuth 2.0 Implicit Flow (defined in OAuth 2.0 RFC 6749, section 4.2).

  • Add Login Using the Implicit Flow
  • Call API Using the Implicit Flow
• Client Credentials Flow

  With machine-to-machine (M2M) applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user. For this scenario, typical authentication schemes like username + password or social logins don't make sense. Instead, M2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4).

  • Call API Using the Client Credentials Flow
• Device Authorization Flow

  With input-constrained devices that connect to the internet, rather than authenticate the user directly, the device asks the user to go to a link on their computer or smartphone and authorize the device. This avoids a poor user experience for devices that do not have an easy way to enter text. To do this, device apps use the Device Authorization Flow (drafted in OAuth 2.0). For use with mobile/native applications.

  • Call API Using the Device Authorization Flow