Auth0 offers two ways to implement login authentication for your applications:
Universal Login where users log in to your application through a page hosted by Auth0.
Embedded Login where users log in to your application through a page you host.
For the vast majority of use cases, we recommend Universal Login. It's safe and easy to implement.
Universal Login is Auth0's implementation of the login flow, which is the key feature of an Authorization Server. With Universal Login, users are redirected from your application to a login page hosted by Auth0. Auth0 then authenticates the user and returns them to your application. Since login and authentication take place on the same domain, credentials are not sent across origins, increasing security and protecting against attacks such as phishing and bucket brigade.
Universal Login functionality and features are driven from web pages served by Auth0, so you can adjust the login experience in real-time without changing your application code. Universal Login page appearance and behavior are customizable from the Dashboard.
There are two versions of Universal Login:
Embedded Login allows users to log in on a page hosted by your application and then their credentials are sent to Auth0.
There may be security concerns with this approach because login and authentication take place on different domains. If you need to use Embedded Login, you should configure a custom domain to mitigate any risks. You can then use one of our libraries (such as the Lock.js or Auth0.js SDK) to implement login in your application or use our API to build your own user interface.