Authorization Code Flow
Because regular web apps are server-side apps where the source code is not publicly exposed, they can use the Authorization Code Flow (defined in OAuth 2.0 RFC 6749, section 4.1), which exchanges an Authorization Code for a token. Your app must be server-side because during this exchange, you must also pass along your application's Client Secret, which must always be kept secure, and you will have to store it in your client.
How it works
The user clicks Login within the regular web application.
Auth0's SDK redirects the user to the Auth0 Authorization Server (
Your Auth0 Authorization Server redirects the user to the login and authorization prompt.
The user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the regular web application.
Your Auth0 Authorization Server redirects the user back to the application with an authorization
code, which is good for one use.
Auth0's SDK sends this
codeto the Auth0 Authorization Server (
/oauth/tokenendpoint) along with the application's Client ID and Client Secret.
Your Auth0 Authorization Server verifies the code, Client ID, and Client Secret.
Your Auth0 Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
Your application can use the Access Token to call an API to access information about the user.
The API responds with requested data.
How to implement it
The easiest way to implement the Authorization Code Flow is to follow our Regular Web App Quickstarts.