Hosted Login vs. Embedded Login
When you design the login experience for your application, you’ll need to decide if you want it to be hosted (Universal Login) or embedded.
Hosted login
In a hosted login flow, the application redirects the user to the authorization server to perform authentication, and then the authorization server returns the user to the application.
Universal Login flow
In the typical user authentication experience with Universal Login:
Your application triggers an authentication request by invoking an Auth0 SDK’s login method or by calling the Auth0 Authentication API Login endpoint directly.
Your application redirects the user to the Auth0 authorization server (your Auth0 tenant).
Auth0 checks for a session cookie on the Auth0 Session Layer.
If a session cookie is not found, Auth0 redirects the user to Universal Login to authenticate and creates an associated session cookie.
If a session cookie is found, Auth0 uses it to authenticate the user.
Auth0 returns the user to your application with an ID token and an access token.
Embedded login
In an embedded login flow, the user authenticates directly within your application. The application serves the login form, collects the user’s credentials, sends that data to the authentication provider, and then receives a response with the user’s ID token and access token.
For web applications, embedded login uses cross-origin authentication unless you configure a custom domain for your Auth0 tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.
Feature comparison
| Feature | Hosted | Embedded |
|---|---|---|
| Single Sign-on | Full support with Universal Login through the use of session cookies on the Auth0 Authorization Server (your Auth0 tenant). | Limited support. Web applications that use the Lock or Auth0.js libraries can share sessions. Native applications can share sessions with web applications through Native to Web SSO. |
| Customization | Universal Login allows you to easily customize many parts of the experience (including theming, page templates, text elements, and prompts). Full customization is supported through Advanced Customizations for Universal Login. |
Highest degree of customization, since you fully control the UI/UX of your application. |
| Feature management | Features can be centrally managed within the Auth0 Dashboard or through the Auth0 Management API. For example, when you enable/disable MFA in your Dashboard, it will be immediately reflected in subsequent user logins. |
Features must be managed for each application individually. For example, if you wanted to implement MFA for your web application and for your native application, you’d have to update and release new versions for both. |
| User experience | Users are redirected between your application and the Auth0 Authorization Server during authentication. For native applications, this requires implementation of universal/deep links. |
Users remain in your application during authentication. |
| Security and maintenance | Auth0 monitors security trends and updates Universal Login accordingly. | You are responsible for following security best practices and implementing provided technologies accordingly. |
Best practice
According to RFC 8252: OAuth 2.0 for Native Apps on IETF, only external user-agents (such as the browser) should be used by native applications for authentication flows.