To begin the flow, you'll need to get the user's authorization. This step may include one or more of the following processes:
- Authenticating the user;
- Redirecting the user to an Identity Provider to handle authentication;
- Obtaining user consent for the requested permission level, unless consent has been previously given.
To authorize the user, your app must send the user to the authorization URL.
https://YOUR_AUTH0_DOMAIN/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=https://YOUR_APP/callback& scope=SCOPE& state=STATE
||Denotes the kind of credential that Auth0 will return (
||Your application's Client ID. You can find this value in your Application Settings.|
||The URL to which Auth0 will redirect the browser after authorization has been granted by the user. The Authorization Code will be available in the
Warning: Per the OAuth 2.0 Specification, Auth0 removes everything after the hash and does not honor any fragments.
||Specifies the scopes for which you want to request authorization, which dictate which claims (or user attributes) you want returned. These must be separated by a space. To get an ID Token in the response, you need to specify a scope of at least
||(recommended) An opaque arbitrary alphanumeric string your app adds to the initial request that Auth0 includes when redirecting back to your application. To see how to use this value to prevent cross-site request forgery (CSRF) attacks, see Use the State Parameter Against CSRF Attacks.|
||(optional) Forces the user to sign in with a specific connection. For example, you can pass a value of
As an example, your HTML snippet for your authorization URL when adding login to your app might look like:
<a href="https://YOUR_AUTH0_DOMAIN/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=https://YOUR_APP/callback& scope=openid%20profile& state=xyzABC123"> Sign In </a>
If all goes well, you'll receive an
HTTP 302 response. The authorization code is included at the end of the URL:
HTTP/1.1 302 Found Location: https://YOUR_APP/callback?code=AUTHORIZATION_CODE&state=xyzABC123