Implicit Flow with Form Post
You can use OpenID Connect (OIDC) with many different flows to achieve web sign-in for a traditional web app. In one common flow, you obtain an ID token using authorization code flow performed by the app backend. This method is effective and robust, however, it requires your web app to obtain and manage a secret. You can avoid that burden if all you want to do is implement sign-in and you don’t need to obtain access tokens for invoking APIs.
Implicit Flow with Form Post flow uses OIDC to implement web sign-in that is very similar to the way SAML and WS-Federation operates. The web app requests and obtains tokens through the front channel, without the need for secrets or extra backend calls. With this method, you don’t need to obtain, maintain, use, and protect a secret in your application.
How it works
The user clicks Login in the app.
Auth0's SDK redirects the user to the Auth0 Authorization Server (/authorize endpoint) passing along a
id_tokenthat indicates the type of requested credential. It also passes along a
form_postto ensure security.
Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the app.
Your Auth0 Authorization Server redirects the user back to the app with an ID Token.
How to implement it
You can use our Express OpenID Connect SDK to securely implement the Implicit Flow with Form Post.
Finally, you can follow our tutorials to use our API endpoints to Add Login Using the Implicit Flow with Form Post.