To begin the flow, you'll need to get the user's authorization. This step may include one or more of the following processes:
- Authenticating the user;
- Redirecting the user to an Identity Provider to handle authentication;
- Checking for active SSO sessions;
- Obtaining user consent for the requested permission level, unless consent has been previously given.
To authorize the user, your app must send the user to the authorization URL.
https://YOUR_DOMAIN/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=https://YOUR_APP/callback& scope=SCOPE& audience=API_AUDIENCE& state=STATE
Note that for authorizing a user when calling an API, you:
- must include an audience parameter
- can include additional scopes supported by the target API
||Denotes the kind of credential that Auth0 will return (
||Your application's Client ID. You can find this value in your Application Settings.|
||The URL to which Auth0 will redirect the browser after authorization has been granted by the user. The Authorization Code will be available in the
Warning: Per the OAuth 2.0 Specification, Auth0 removes everything after the hash and does not honor any fragments.
||Specifies the scopes for which you want to request authorization, which dictate which claims (or user attributes) you want returned. These must be separated by a space. You can request any of the standard OIDC scopes about users, such as
||The unique identifier of the API your web app wants to access. Use the Identifier value on the Settings tab for the API you created as part of the prerequisites for this tutorial.|
||(recommended) An opaque arbitrary alphanumeric string your app adds to the initial request that Auth0 includes when redirecting back to your application. To see how to use this value to prevent cross-site request forgery (CSRF) attacks, see Mitigate CSRF Attacks With State Parameters.|
As an example, your HTML snippet for your authorization URL when calling an API might look like:
<a href="https://YOUR_DOMAIN/authorize? response_type=code& client_id=YOUR_CLIENT_ID& redirect_uri=https://YOUR_APP/callback& scope=appointments%20contacts& audience=appointments:api& state=xyzABC123"> Sign In </a>
If all goes well, you'll receive an
HTTP 302 response. The authorization code is included at the end of the URL:
HTTP/1.1 302 Found Location: https://YOUR_APP/callback?code=AUTHORIZATION_CODE&state=xyzABC123