During authentication, single-page applications (SPAs) have some special requirements. Since the SPA is a public client, it is unable to securely store information such as a Client Secret. As such, a special authentication flow exists called the OAuth 2.0 Implicit Flow (defined in OAuth 2.0 RFC 6749, section 4.2). Using the Implicit Flow streamlines authentication by returning tokens without introducing any unnecessary additional steps.
How it works
For SPAs, you should use the Implicit Flow in which issued tokens are short-lived. Refresh Tokens are not available in this flow.
- The user clicks Login within the SPA.
- Auth0's SDK redirects the user to the Auth0 Authorization Server (/authorize endpoint) passing along a
response_typeparameter that indicates the type of requested credential.
- Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
- The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the SPA.
- Your Auth0 Authorization Server redirects the user back to the SPA with any of the following, depending on the provided
response_typeparameter (step 2):
- An ID Token;
- An Access Token;
- An ID Token and an Access Token.
- Your SPA can use the Access Token to call an API.
- The API responds with requested data.
How to implement it
The easiest way to implement the Implicit Flow is to follow our Single-Page App Quickstarts.
You can also use our SDKs.
SPAs and refresh tokens
While SPAs using the Implicit Grant cannot use Refresh Tokens, there are other ways to provide similar functionality.
prompt=nonewhen invoking the /authorize endpoint. The user will not see the login or consent dialogs. For more information, see Silent Authentication.
/authorizefrom a hidden iframe and extract the new Access Token from the parent frame. The user will not see the redirects happening.