</noscript></div><div><div id="consent_blackbar"></div><div id="teconsent" style="position:absolute;top:-100px"></div><script async="" src="//consent.trustarc.com/notice?domain=auth0banner.com&c=teconsent&js=nj&noticeType=bb&text=true"></script></div><div data-swiftype-index="false" class="docs-single"><div id="app"><div class="docs-application" data-reactroot=""><header class=" header--3gcmp showSearch--3PZux "><div class="container headerContainer--1Osh9 flexRow--2n9x1"><div class="col-md-3"><h1 class="brand--2Ou8K"><a href="https://auth0.com/"><svg class="logo--xgzNN" viewBox="196 38 89 32" xmlns="http://www.w3.org/2000/svg"><g fill="none" fill-rule="evenodd"><path d="M279.706 46.402c-1.556 0-2.873.725-3.807 2.096-.93 1.363-1.42 3.266-1.42 5.502 0 2.236.49 4.14 1.42 5.502.93 1.37 2.25 2.096 3.8 2.096s2.87-.725 3.8-2.096c.93-1.363 1.42-3.266 1.42-5.502 0-2.236-.49-4.14-1.42-5.502-.94-1.37-2.25-2.096-3.81-2.096zm0 13.313c-.744 0-1.332-.416-1.798-1.272-.562-1.035-.872-2.613-.872-4.443 0-1.83.31-3.408.872-4.443.466-.856 1.054-1.272 1.798-1.272.743 0 1.33.416 1.797 1.272.562 1.035.872 2.612.872 4.443 0 1.83-.31 3.41-.872 4.443-.466.856-1.054 1.272-1.797 1.272zm-33.725-7.777v6.535c0 1.723 1.42 3.125 3.16 3.125 1.52 0 2.67-.746 3.1-1.066.03-.018.06-.024.09-.015.03.01.05.03.06.06l.257.825h1.883v-9.464h-2.42v7.076c0 .034-.02.064-.05.08-.455.232-1.35.62-2.25.62-.768 0-1.39-.615-1.39-1.374v-6.402H246zm24.24 9.464h2.42v-6.536c0-1.723-1.41-3.125-3.16-3.125-1.28 0-2.31.55-2.81.87-.03.02-.06.02-.09.01s-.05-.04-.05-.08V46.6h-2.42v14.804h2.42v-7.077c0-.034.02-.064.05-.08.46-.232 1.36-.62 2.26-.62.37 0 .72.142.983.4.263.26.407.607.407.974v6.4zm-13.96-7.582h1.48c.05 0 .09.04.09.09v5.206c0 1.368 1.13 2.482 2.51 2.482.506 0 1-.072 1.477-.213v-1.71c-.28.025-.597.04-.823.04-.407 0-.74-.328-.74-.732V53.91c0-.05.04-.09.09-.09h1.474v-1.883h-1.473c-.05 0-.09-.04-.09-.09v-3.124h-2.42v3.125c0 .05-.04.09-.09.09h-1.472v1.882zm-14.14 7.582h2.52L240.8 48.2c-.307-1.06-1.3-1.798-2.413-1.798-1.114 0-2.107.74-2.414 1.798l-3.828 13.202h2.517l1.108-3.82c.012-.04.047-.066.087-.066h5.06c.04 0 .075.026.086.065l1.108 3.83zm-1.79-5.768h-3.86c-.026 0-.053-.014-.07-.036-.02-.022-.022-.052-.015-.078l1.933-6.66c.01-.04.046-.065.087-.065.04 0 .072.026.083.064l1.93 6.66c.01.02.005.05-.012.07s-.042.03-.07.03z" fill="#15214D"></path><path d="M219.03 63.878l-3.245-9.88 8.497-6.102H213.78l-3.247-9.88v-.002h10.504l3.247 9.88h.002c1.886 5.73-.056 12.25-5.255 15.984zm-16.996 0l-.003.002 8.5 6.106 8.5-6.108-8.49-6.105-8.5 6.105zm-5.253-15.985c-1.98 6.042.32 12.445 5.26 15.986v-.01l3.25-9.88-8.49-6.11h10.5l3.247-9.88.003-.006h-10.51l-3.25 9.88z" fill="#EB5424"></path></g></svg></a><a href="/docs" class="title--1hjaL">Docs</a><button type="button" class="toggleButton--39Kkb "><span class="screenReaderOnly--1h9yr">Toggle navigation</span><span class="iconBar--1Dzsz"></span><span class="iconBar--1Dzsz"></span><span class="iconBar--1Dzsz"></span><span class="iconBar--1Dzsz"></span></button></h1></div><nav class="flexRow--2n9x1"><div class="flexNav--2f79F"><ul class="navbarLinks--1LeJb"><li class="active"><a href="/docs/get-started">Articles</a></li><li class=""><a href="/docs/quickstarts">Quickstarts</a></li><li class=""><a href="/docs/api">Auth0 APIs</a></li><li class=""><a href="/docs/libraries">Libraries</a></li><li class=""><a href="/docs/videos">Videos</a></li><li class=""><a href="/docs/identity-labs">Identity Labs</a></li></ul><div class="form-group search-control navbarSearch--2Xu1M"><form id="search" role="search" class="search-form" autoComplete="off"><div><i class="icon-budicon-489"></i><input type="text" id="search-input" class="search-input form-control" placeholder="Search" value=""/></div></form></div></div><div class="actions--vMRkw"><a href="https://auth0.com/get-started?place=header&type=button&text=talk%20to%20sales" class="talkToSales--2pGPn btn btn-transparent btn-sml">Talk to Sales</a><button class="login-link btn btn-transparent btn-sm">Login</button><button class="login-button btn btn-success btn-sm">Sign up</button></div></nav></div></header><div class=" docs-article doc-with-sidebar docs-with-toc "><div><div><div></div><div class="stickyNav--3Xwr-"><div class="container--1aI5J container"><h3 class="title--2GBV6">OIDC-Conformant Adoption: Resource Owner Password Flow</h3><div class="buttons--3gxAI"><a href="https://auth0.com/get-started?place=header&type=button&text=talk%20to%20sales" class="btn--1d7ou btn btn-primary"><svg width="24" height="14" viewBox="5 0 14 14" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M13 6.505a5.301 5.301 0 0 1-.6 2.46 5.567 5.567 0 0 1-2.088 2.222 5.791 5.791 0 0 1-2.979.822 5.721 5.721 0 0 1-2.533-.582L1 12.657l1.267-3.691a5.3 5.3 0 0 1-.6-2.461c0-1.022.293-2.024.847-2.893A5.61 5.61 0 0 1 4.8 1.582 5.721 5.721 0 0 1 7.333 1h.334a5.73 5.73 0 0 1 3.686 1.6A5.422 5.422 0 0 1 13 6.181v.324z" stroke="#fff" stroke-linecap="round" stroke-linejoin="round"></path></svg>Talk to Sales</a></div></div></div></div><div class="document"><div><div class="js-doc-template container" style="margin-bottom:40px"><div class="row"><div class="sidebar-container col-md-3"><div><div></div><div class=""><div class="sidebar is-article"><div class="section-title">articles</div><ul class=" sidebar-item-list sidebar-item-list-depth0 "><div class="mobile-dropdown-trigger" role="button"><h5 class="mobile-dropdown-title"><span>Login</span></h5><i class="mobile-dropdown-icon icon-budicon-460"></i></div><div class="mobile-dropdown-content scrollable"><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/get-started">Get Started</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started">Auth0 Overview</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started/dashboard">Dashboard Overview</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started/learn-the-basics">Create Tenants</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/applications/set-up-an-application">Register Applications</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started/set-up-apis">Register APIs</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started/authentication-and-authorization">Authentication and Authorization</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/glossary">Glossary</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/architecture-scenarios">Architecture Scenarios</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/b2c">Business to Consumer</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/architecture">Architecture</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/provisioning">Provisioning</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/authentication">Authentication</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/branding">Branding</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/deployment">Deployment Automation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/quality-assurance">Quality Assurance</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/profile-management">Profile Management</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/authorization">Authorization</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/logout">Logout</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/operations">Operations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2c/launch">Launch Preparation</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/b2b">Business to Business</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/architecture">Architecture</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/provisioning">Provisioning</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/authentication">Authentication</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/branding">Branding</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/deployment">Deployment Automation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/quality-assurance">Quality Assurance</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/profile-management">Profile Management</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/authorization">Authorization</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/logout">Logout</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/operations">Operations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/b2b/launch">Launch Preparation</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/b2e">Business to Employees</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/web-app-sso">SSO for Regular Web Apps</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/web-app-sso/part-1">Solution Overview</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/web-app-sso/part-2">Configuration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/web-app-sso/part-3">Implementation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/web-app-sso/part-4">Conclusion</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture">Multiple Organization Architecture</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations">Single Identity Provider Organizations</a><ul class="sidebar-item-list sidebar-item-list-depth3 "><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations/provisioning">Provisioning</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations/authentication">Authentication</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations/branding">Branding</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations/authorization">Authorization</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations/profile-management">Profile Management</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/single-identity-provider-organizations/logout">Logout</a></li></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/multiple-organization-architecture/users-isolated-by-organization/multiple-identity-provider-organizations">Multiple Identity Provider Organizations</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/server-api">Server Application + API</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/server-api/part-1">Solution Overview</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/server-api/part-2">Configuration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/server-api/part-3">Implementation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/server-api/part-4">Conclusion</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/spa-api">SPA + API</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/spa-api/part-1">Solution Overview</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/spa-api/part-2">Configuration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/spa-api/part-3">Implementation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/spa-api/part-4">Conclusion</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/mobile-api">Mobile + API</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/mobile-api/part-1">Solution Overview</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/mobile-api/part-2">Configuration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/mobile-api/part-3">Implementation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/architecture-scenarios/mobile-api/part-4">Conclusion</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/checklists">Implementation Checklists</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/architecture-scenarios/implementation-resources">Implementation Resources</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/deploy">Deploy</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/deploy/deploy-options">Deployment Options</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/deploy/deploy-checklist">Deployment Checklist</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/deploy/pre-deployment">Pre-Deployment</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/pre-deployment/how-to-run-production-checks">Run Production Checks</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/pre-deployment/pre-launch-tips">Pre-Launch Tips</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/deploy/deploy-cli-tool">Deploy CLI Tool</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/install-and-configure-the-deploy-cli-tool">Install Deploy CLI</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/call-deploy-cli-tool-programmatically">Call Deploy CLI</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/incorporate-deploy-cli-into-build-environment">Incorporate into Build Environment</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/import-export-tenant-configuration-to-directory-structure">Import/Export Directory Structure</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/import-export-tenant-configuration-to-yaml-file">Import/Export YAML File</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/environment-variables-and-keyword-mappings">Environment Variables</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/deploy-cli-tool/deploy-cli-tool-options">Deploy CLI Options</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/deploy/private-cloud">Private Cloud Options</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/private-cloud/private-cloud-onboarding">Onboarding</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/private-cloud/private-cloud-operations">Operations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/deploy/private-cloud/private-cloud-migrations">Migrations</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined is-current "><a class="" href="/docs/login">Login</a><ul class="sidebar-item-list sidebar-item-list-depth1 is-current"><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/universal-login">Universal Login</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/new-experience">New Experience</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/classic-experience">Classic Experience</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/customize-password-reset-page">Password Reset</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/classic-experience/mfa-classic-experience">Multi-factor Authentication</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/configure-universal-login-with-passwordless">Passwordless</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/identifier-first">Identifier-First Authentication</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/error-pages">Error Pages</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/new-experience/text-customization-new-universal-login">Text Customization</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/configure-default-login-routes">Default Login URL</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/universal-login/version-control-universal-login-pages">Version Control</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/universal-login/universal-vs-embedded-login">Universal vs. Embedded Login</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/login/embedded-login">Embedded Login</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/libraries/lock">Lock for Web</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/libraries/auth0js">Auth0.js</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/embedded-login/cross-origin-authentication">Cross-Origin Authentication</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/flows">Authentication Flows</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/add-login-auth-code-flow">Regular Web App</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/add-login-using-the-implicit-flow-with-form-post">Single-Page App</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/add-login-using-the-authorization-code-flow-with-pkce">Native App</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/sessions/cookies/spa-authenticate-with-cookies">Authenticate Single-Page Apps with Cookies</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/mfa">Multi-factor Authentication</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/mfa-factors">Factors</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/enable-mfa">Enable MFA</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/adaptive-mfa">Adaptive MFA</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/auth0-guardian">Guardian</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/customize-mfa-user-pages">Customize MFA</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/reset-user-mfa">Reset MFA</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/step-up-authentication">Step-up Authentication</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/mfa-developer-resources">MFA Developer Resources</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/troubleshoot-mfa-issues">Troubleshoot MFA</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/configure-silent-authentication">Silent Authentication</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/redirect-users-after-login">Redirect After Login</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logout">Logout</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logout/log-users-out-of-applications">Apps</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logout/log-users-out-of-auth0">Auth0</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logout/log-users-out-of-idps">Identity Providers</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logout/log-users-out-of-saml-idps">SAML Identity Providers</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logout/redirect-users-after-logout">Redirect After Logout</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined is-current "><a class="" href="/docs/login/adopt-oidc-conformant-authentication">Adopt OIDC Conformant Auth</a><ul class="sidebar-item-list sidebar-item-list-depth2 is-current"><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-apis">APIs</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-access-tokens">Access Tokens</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-auth-code-flow">Authorization Code Flow</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-client-credentials-flow">Client Credentials Flow</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-delegation">Delegation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-implicit-flow">Implicit Flow</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-refresh-tokens">Refresh Tokens</a></li><li class="sidebar-item sidebar-item-depth2 undefined is-current "><a class="active" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-rop-flow">Resource Owner Password Flow</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-sso">Single Sign-On</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/connections">Connections</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/connections/identity-providers-social">Social Identity Providers</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/connections/identity-providers-enterprise">Enterprise Identity Providers</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/connections/identity-providers-legal">Legal Identity Providers</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/connections/database">Database</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/database">Auth0 User Store</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/database/custom-db">Your User Store</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/database/password-options">Password Policies</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/database/password-strength">Password Strength</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/connections/pass-parameters-to-idps">Pass Parameters to Identity Providers</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/connections/passwordless">Passwordless</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/passwordless">Authentication Factors</a><ul class="sidebar-item-list sidebar-item-list-depth3 "><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/guides/email-otp">Email</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/guides/email-magic-link">Magic Link</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/guides/sms-otp">SMS</a></li></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/passwordless/guides/universal-login">Universal Login</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/passwordless/guides/embedded-login">Embedded Login</a><ul class="sidebar-item-list sidebar-item-list-depth3 "><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/reference/relevant-api-endpoints">Passwordless APIs</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/guides/embedded-login-native">Native Apps</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/guides/embedded-login-webapps">Web Apps</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/connections/passwordless/guides/embedded-login-spa">SPAs</a></li></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/passwordless/guides/best-practices">Best Practices</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/organizations">Organizations</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/organizations/create-first-organization">Create Your First Organization</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/organizations/custom-development">Custom Development</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/organizations/using-tokens">Work with Tokens</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/organizations/configure-organizations">Configure Organizations</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/create-organizations">Create Organizations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/delete-organizations">Delete Organizations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/define-organization-behavior">Define Organization Behavior</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/enable-connections">Enable Connections</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/disable-connections">Disable Connections</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/invite-members">Invite Members</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/send-membership-invitations">Send Membership Invitations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/grant-just-in-time-membership">Grant Just-In-Time Membership</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/assign-members">Assign Members Directly</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/remove-members">Remove Members Directly</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/add-member-roles">Add Roles to Members</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/remove-member-roles">Remove Roles from Members</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/retrieve-organizations">Retrieve Organizations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/retrieve-connections">Retrieve Connections</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/retrieve-members">Retrieve Members</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/retrieve-user-membership">Retrieve User's Membership</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/organizations/retrieve-member-roles">Retrieve Member Roles</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/authorization">Authorization</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/flows">Authorization Flows</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/call-your-api-using-the-authorization-code-flow">Authorization Code</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/call-your-api-using-the-authorization-code-flow-with-pkce">Authorization Code with PKCE</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/call-your-api-using-the-client-credentials-flow">Client Credentials</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/flows/call-your-api-using-the-device-authorization-flow">Device Authorization</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/rbac">Role-based Access Control (RBAC)</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/authorization-policies">Authorization Policies</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/rules-for-authorization-policies">Rules for Authorization Policies</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/sample-use-cases-role-based-access-control">Sample Use Cases - RBAC</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/sample-use-cases-rules-with-authorization">Sample Use Cases - Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/authorization-core-vs-authorization-extension">Authz Core vs. Authz Extension</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/authorization/how-to-use-auth0s-core-authorization-feature-set">How to Configure Core RBAC</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/authorization/rbac/roles">Manage Roles</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/authorization/rbac-users">Manage RBAC Users</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/authorization/manage-permissions">Manage RBAC Permissions</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/authorization/rbac/enable-role-based-access-control-for-apis">Enable RBAC for APIs</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/config">Configuration</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/config/tenant-settings">Tenant Settings</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/dashboard-access">Dashboard Access</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/config/tenant-settings/signing-keys">Signing Keys</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/get-started/dashboard/configure-session-lifetime-settings">Configure Session Lifetime Settings</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/get-started/dashboard/configure-device-user-code-settings">Configure Device User Code Settings</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/best-practices/tenant-settings-best-practices">Recommended Settings</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/applications/dynamic-client-registration">Dynamic Client Registration</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started/dashboard/application-settings">Application Settings</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/applications/update-grant-types">Update Grant Types</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/applications/enable-android-app-links-support">Android App Links</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/enable-universal-links-support-in-apple-xcode">Apple Universal Links</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/applications/remove-applications">Remove Applications</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/applications/view-application-type">View Application Type</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/get-started/dashboard/rotate-client-secret">Rotate Client Secret</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/applications/wildcards-for-subdomains">Wildcards for Subdomains</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/best-practices/app-settings-best-practices">Recommended Settings</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/get-started/dashboard/api-settings">API Configuration</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/signing-algorithms">Signing Algorithms</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/authorization/represent-multiple-apis-using-a-single-logical-api">Represent Multiple APIs with a Single API</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/sso">Single Sign-On</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sso/inbound-single-sign-on">Inbound SSO</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sso/outbound-single-sign-on">Outbound SSO</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sso/api-endpoints-for-single-sign-on">Relevant API Endpoints</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/attack-protection">Attack Protection</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/attack-protection/bot-detection">Bot Detection</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/attack-protection/breached-password-detection">Breached Passwords</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/attack-protection/brute-force-protection">Brute Force Attacks</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/attack-protection/suspicious-ip-throttling">Suspicious IP Throttling</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/attack-protection/customize-blocked-account-emails">Customize Blocked Account Emails</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/attack-protection/view-attack-protection-events">View Events</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/protocols/saml-protocol">SAML Configuration Options</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/saml-configuration-options">SAML SSO Integrations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/configure-auth0-saml-service-provider">Auth0 as SP</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/configure-auth0-as-saml-identity-provider">Auth0 as IdP</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/configure-auth0-as-service-and-identity-provider">Test SAML SSO</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/saml-identity-provider-configuration-settings">IdP Settings</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/special-saml-configuration-scenarios">Special Scenarios</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/customize-saml-assertions">Customize SAML Assertions</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/protocols/saml-protocol/deprovision-users-in-saml-integrations">Deprovision Users</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/users">Manage Users</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/user-profiles">User Profiles</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/normalized-user-profiles">Normalized User Profile</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/update-user-profiles-using-your-database">Update Profiles Using Your Database</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/progressive-profiling">Progressive Profiling</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-profile-structure">User Profile Structure</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/metadata">Metadata</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/manage-user-metadata">Manage User Metadata</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/read-metadata">Read Metadata</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/set-metadata-properties-on-creation">Set Metadata Properties on Creation</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/update-metadata-with-the-management-api">Update Metadata with the Management API</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/best-practices/metadata-best-practices">Metadata Best Practices</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/sessions">Sessions</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sessions/session-layers">Session Layers</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sessions/session-lifetime-limits">Session Lifetime Limits</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sessions/non-persistent-sessions">Non-Persistent Sessions</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sessions/manage-multi-site-sessions">Manage Multi-Site Sessions with Auth0 SDK</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/sessions/cookies/authentication-api-cookies">Authentication API Cookies</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/deny-api-access">Deny Access to an API Using Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/manage-users-using-the-dashboard">Using the Dashboard</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/manage-users-using-the-management-api">Using the API</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/verify-emails">Verify Emails</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/verified-email-usage">Email Verified Usage</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/user-account-linking">Link User Accounts</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/link-user-accounts">Link User Accounts</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/unlink-user-accounts">Unlink User Accounts</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-initiated-account-linking-client-side-implementation">Client-Side SPA Scenario</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/suggested-account-linking-server-side-implementation">Server-Side Regular Web App Scenario</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/import-and-export-users">Import & Export Users</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/bulk-user-import-database-schema-and-examples">File Schema</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/configure-automatic-migration-from-your-database">Automatic</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/bulk-user-imports">Bulk Import</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/bulk-user-exports">Bulk Export</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/extensions/user-import-export-extension">User Import/Export Extension</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-migration-scenarios">Examples</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/users/user-search">User Search</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-search/retrieve-users-with-get-users-endpoint">Get Users</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-search/retrieve-users-with-get-users-by-email-endpoint">Get Users by Email</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-search/retrieve-users-with-get-users-by-id-endpoint">Get Users by ID</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-search/sort-search-results">Sort Search Results</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-search/view-search-results-by-page">View Search Results</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/users/user-search/user-search-query-syntax">Query Syntax</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/best-practices/user-search-best-practices">Best Practices</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/dashboard-access">Manage Dashboard Access</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/dashboard-access/feature-access-by-role">Dashboard Access by Role</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/dashboard-access/add-dashboard-users">Add Tenant Members</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/dashboard-access/edit-dashboard-users">Edit Tenant Members</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/dashboard-access/remove-dashboard-users">Remove Tenant Members</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/dashboard-access/add-change-remove-mfa">Manage Access with MFA</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/dashboard-access/update-dashboard-user-email">Update Dashboard User Email</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/brand-and-customize">Brand & Customize</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/universal-login/new-experience/universal-login-page-templates">Universal Login Pages</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/custom-domains">Custom Domains</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/custom-domains/configure-custom-domains-with-auth0-managed-certificates">Auth0-Managed Certificates</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/custom-domains/configure-custom-domains-with-self-managed-certificates">Self-Managed Certificates</a><ul class="sidebar-item-list sidebar-item-list-depth3 "><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/custom-domains/configure-custom-domains-with-self-managed-certificates/configure-gcp-as-reverse-proxy">Google Cloud Platform Reverse Proxy</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/custom-domains/configure-custom-domains-with-self-managed-certificates/configure-cloudflare-for-use-as-reverse-proxy">Cloudflare Reverse Proxy</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/custom-domains/configure-custom-domains-with-self-managed-certificates/configure-aws-cloudfront-for-use-as-reverse-proxy">Cloudfront Reverse Proxy</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/custom-domains/configure-custom-domains-with-self-managed-certificates/configure-azure-cdn-for-use-as-reverse-proxy">Azure CDN Reverse Proxy</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/custom-domains/tls-ssl">TLS (SSL) Versions and Ciphers</a></li></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/custom-domains/configure-features-to-use-custom-domains">Configure Auth0 Features</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/custom-domains/troubleshoot-custom-domains">Troubleshoot Custom Domains</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/email">Email</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/email/manage-email-flow">Email Handling</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/email/customize-email-templates">Email Templates</a><ul class="sidebar-item-list sidebar-item-list-depth3 "><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/email/customize-email-templates/use-liquid-syntax-in-email-templates">Liquid Syntax</a></li><li class="sidebar-item sidebar-item-depth3 undefined "><a class="" href="/docs/email/customize-email-templates/email-template-descriptions">Template Descriptions</a></li></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/email/configure-external-smtp-email-providers">External SMTP Email Providers</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/email/configure-custom-external-smtp-email-provider">Custom SMTP Email Provider</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/email/configure-test-smtp-email-servers">Test SMTP Email Server</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/email/send-email-invitations-for-application-signup">Send Email Invitations for Application Signup</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/scopes/customize-consent-prompts">Consent Prompt</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/i18n">Internationalization and Localization</a><ul class="sidebar-item-list sidebar-item-list-depth2 "></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/actions">Actions</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/actions/write-your-first-action">Write Your First Action</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/actions/triggers">Triggers</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/actions/triggers/post-login">post-login</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/actions/triggers/credentials-exchange">credentials-exchange</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/actions/triggers/pre-user-registration">pre-user-registration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/actions/triggers/post-user-registration">post-user-registration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/actions/triggers/post-change-password">post-change-password</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/actions/triggers/send-phone-message">send-phone-message</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/actions/limitations">Limitations</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/actions/manage-action-versions">Manage Action Versions</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/actions/programming-model-changes">Programming Model Changes</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/rules">Rules</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/create-rules">Create a New Rule</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/use-cases">Rules Use Cases</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/configuration">Store Configuration for Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/cache-resources">Cache Expensive Resources</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/debug-rules">Debug Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/use-management-api">Management API in Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/metadata">Metadata in Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/redirect-users">Redirect Users from Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/user-object-in-rules">User Object</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/rules/context-object">Context Object</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/hooks">Hooks</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/create-hooks">Create Hooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/update-hooks">Update Hooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/delete-hooks">Delete Hooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/enable-disable-hooks">Enable/Disable Hooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/view-hooks">View Hooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/view-logs-for-hooks">View Logs</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/extensibility-points">Extensibility Points</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/extensibility-points/client-credentials-exchange">Client Credentials Exchange</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/extensibility-points/post-change-password">Post-Change Password</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/extensibility-points/post-user-registration">Post-User Registration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/extensibility-points/pre-user-registration">Pre-User Registration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/extensibility-points/send-phone-message">Send Phone Message</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/hooks/hook-secrets">Hook Secrets</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/hook-secrets/create-hook-secrets">Create Secrets</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/hook-secrets/update-hook-secrets">Update Secrets</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/hook-secrets/delete-hook-secrets">Delete Secrets</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/hooks/hook-secrets/view-hook-secrets">View Secrets</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/extensions">Extensions</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/authorization-extension">Authorization Extension</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/delegated-administration-extension">Delegated Administration</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/single-sign-on-dashboard-extension">SSO Dashboard Extension</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/auth0-authentication-api-webhooks">Authentication API Webhooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/auth0-management-api-webhooks">Management API Webhooks</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/authentication-api-debugger-extension">Authentication API Debugger</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/ad-ldap-connector-health-monitor">AD/LDAP Connector Health Monitor</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/real-time-webtask-logs">Real-time Webtask Logs</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-application-insights">Auth0 Logs to Application Insights</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-cloudwatch">Auth0 Logs to AWS Cloudwatch</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-azure-blob-storage">Auth0 Logs to Azure Blob Storage</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-logentries">Auth0 Logs to Logentries</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-loggly">Auth0 Logs to Loggly</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-logstash">Auth0 Logs to Logstash</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-mixpanel">Auth0 Logs to Mixpanel</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-papertrail">Auth0 Logs to Papertrail</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/auth0-logs-to-sumo-logic">Auth0 Logs to Sumo Logic</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/extensions/export-logs-to-splunk">Auth0 Logs to Splunk</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/integrations">Integrations</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/integrations/aws">Amazon Web Services (AWS)</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/integrations/aws-api-gateway-custom-authorizers">AWS API Gateway</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/integrations/azure-api-management">Azure API Management</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/integrations/google-cloud-endpoints">Google Cloud Endpoints</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/integrations/sso">Single Sign-On</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/ad-rms">Active Directory RMS</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/adobe-sign">Adobe Sign</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/box">Box</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/cisco-webex">Cisco WebEx</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/cloudbees">CloudBees</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/concur">Concur</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/datadog">Datadog</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/dropbox">Dropbox</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/dynamics-crm">Dynamics CRM</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/egencia">Egencia</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/egnyte">Egnyte</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/eloqua">Eloqua</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/freshdesk">Freshdesk</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/g-suite">G Suite</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/github-enterprise-cloud">GitHub Enterprise Cloud</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/github-enterprise-server">GitHub Enterprise Server</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/heroku">Heroku</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/hosted-graphite">Hosted Graphite</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/litmos">Litmos</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/new-relic">New Relic</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/office-365">Office 365</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/pluralsight">Pluralsight</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/salesforce">Salesforce</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/sentry">Sentry</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/slack">Slack</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/springcm">SpringCM</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/sprout-video">Sprout Video</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/tableau-online">Tableau Online</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/tableau-server">Tableau Server</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/workday">Workday</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/workpath">Workpath</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/zendesk">Zendesk</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/sso/zoom">Zoom</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/integrations/marketing">Marketing</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/adobe-campaign">Adobe Campaign</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/alterian">Alterian</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/constant-contact">Constant Contact</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/eloqua">Oracle Eloqua</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/mailchimp">MailChimp</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/marketo">Marketo</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/sailthru">Sailthru</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/export-user-data-salesforce">Salesforce</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/salesforce-marketing-cloud">Salesforce Marketing Cloud</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/integrations/marketing/watson-campaign-automation">Watson Campaign Automation</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/logs">Logs</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/streams">Log Streams</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logs/streams/stream-http-event-logs">HTTP Event Streams</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logs/streams/aws-eventbridge">AWS EventBridge</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logs/streams/stream-logs-to-azure-event-grid">Azure Event Grid</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logs/streams/stream-logs-to-datadog">Datadog</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logs/streams/stream-logs-to-splunk">Splunk</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/logs/streams/stream-logs-to-sumo-logic">Sumo Logic</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/log-data-retention">Log Data Retention</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/view-log-events-in-the-dashboard">View Log Data in the Dashboard</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/log-event-filters">Log Event Filters</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/retrieve-log-events-using-mgmt-api">Retrieve Logs Using the Management API</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/log-event-type-codes">Log Event Type Codes</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/logs/log-search-query-syntax">Log Search Query Syntax</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/product-lifecycle/deprecations-and-migrations/migrate-to-tenant-log-search-v3">Migrate from Logs Search v2 to v3</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/monitor-auth0">Monitor</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/monitor-auth0/check-auth0-status">Check Auth0 Status</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/monitor-auth0/check-external-services-status">Check External Services Status</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/monitor-auth0/monitor-applications">Monitor Applications</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/monitor-auth0/monitor-using-scom">Monitor Using SCOM</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/troubleshoot">Troubleshoot</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic">Basic Issues</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/verify-platform">Verify Platform</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/verify-connections">Verify Connections</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/verify-domain">Verify Domain</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/verify-rules">Verify Rules</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/check-error-messages">Check Error Messages</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/invalid-token-errors">Invalid Token Errors</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-basic/check-deprecation-errors">Deprecation Errors</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication">Authentication Issues</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/check-api-calls">API Calls</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/check-login-and-logout-issues">Login and Logout Issues</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/check-user-profiles">User Profiles</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/troubleshoot-rbac-authorization">RBAC and Authorization</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/mfa/troubleshoot-mfa-issues">MFA Issues</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/troubleshoot-saml-configurations">SAML Configurations</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/saml-errors">SAML Errors</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-authentication/self-change-password-errors">Self Change Password Errors</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/extensions/authorization-extension/troubleshoot-authorization-extension">Authorization Extension Issues</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/troubleshoot/troubleshoot-integration-and-extensibility">Integration and Extensibility Issues</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/how-to-test-partner-connection">Test Partner Connections</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/apple-siwa/troubleshooting">Sign in With Apple</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/connections/database/custom-db/error-handling">Custom Databases</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/extensions/ad-ldap-connector">Active Directory/LDAP Connector</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/extensions/troubleshoot-extensions">Extensions</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/libraries/auth0-php/troubleshoot-auth0-php-library">Auth0 PHP SDK</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/troubleshoot/tools">Tools</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/troubleshoot/tools/generate-and-analyze-har-files">Generate and Analyze HAR Files</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/extensions/authentication-api-debugger-extension">Authentication API Debugger</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/product-lifecycle">Product Lifecycle</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/product-lifecycle/product-release-stages">Product Release Stages</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/product-lifecycle/deprecations-and-migrations">Deprecations and Migrations</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/product-lifecycle/migration-process">Migration Process</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/product-lifecycle/deprecations-and-migrations/past-migrations">Past Migrations</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/security">Security</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/security/tips">General Security Tips</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/security/security-bulletins">Security Bulletins</a><ul class="sidebar-item-list sidebar-item-list-depth2 "></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/security/data-security">Data Security</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/security/data-security/denylist">Add User Attributes to Deny List</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/security/data-security/allowlist">Auth0 IP Addresses for Allow Lists</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/security/data-security/user-data-storage">User Data Storage</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/security/data-security/token-storage">Token Storage</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/security/prevent-threats">Prevent Common Threats</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/tokens">Tokens</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/id-tokens">ID Tokens</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/access-tokens">Access Tokens</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/refresh-tokens">Refresh Tokens</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/refresh-tokens/refresh-token-rotation">Refresh Token Rotation</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/refresh-tokens/configure-refresh-token-expiration">Refresh Token Expiration</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/tokens/revoke-tokens">Revoke Tokens</a></li></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/sessions/cookies">Cookies</a><ul class="sidebar-item-list sidebar-item-list-depth2 "></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/compliance">Data Privacy and Compliance</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/compliance/gdpr">GDPR</a><ul class="sidebar-item-list sidebar-item-list-depth2 "></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/compliance/data-processing">Data Processing</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/best-practices">Best Practices</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/general-usage-and-operations-best-practices">General Usage and Operations</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/connection-settings-best-practices">Connection Settings</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/custom-database-connection-and-action-script-best-practices">Custom Databases and Scripts</a><ul class="sidebar-item-list sidebar-item-list-depth2 "></ul></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/metadata-best-practices">Metadata</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/rules-best-practices">Rules</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/user-search-best-practices">Search</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/best-practices/token-best-practices">Tokens</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/support">Support</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/support">Support Options</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/support/product-support-matrix">Support Matrix</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/support/sla">SLA</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/support/open-and-manage-support-tickets">Tickets</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/support/support-center-users">Support Center Users</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/support/manage-subscriptions">Manage Subscription</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/policies">Operational Policies</a><ul class="sidebar-item-list sidebar-item-list-depth2 "><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/policies/billing-policy">Billing</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/policies/data-export-and-transfer-policy">Data Export and Transfer</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/security/public-cloud-service-endpoints">Endpoints</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/policies/load-testing-policy">Load Testing</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/policies/penetration-testing-policy">Penetration Testing</a></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/policies/rate-limit-policy">Rate Limits</a><ul class="sidebar-item-list sidebar-item-list-depth3 "></ul></li><li class="sidebar-item sidebar-item-depth2 undefined "><a class="" href="/docs/policies/entity-limit-policy">Entity Limits</a></li></ul></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="" href="/docs/professional-services">Professional Services</a><ul class="sidebar-item-list sidebar-item-list-depth1 "><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/professional-services/discover-design">Discover and Design</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/professional-services/implement">Implement</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/professional-services/maintain-improve">Maintain and Improve</a></li><li class="sidebar-item sidebar-item-depth1 undefined "><a class="" href="/docs/professional-services/packages">Packages</a></li></ul></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="arrow-item" href="https://marketplace.auth0.com/">Auth0 Marketplace<i class="icon-budicon-519"></i></a></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="arrow-item" href="https://community.auth0.com/">Auth0 Community<i class="icon-budicon-519"></i></a></li><li class="sidebar-item sidebar-item-depth0 undefined "><a class="arrow-item" href="https://auth0.com/blog/">Auth0 Blog<i class="icon-budicon-519"></i></a></li></div></ul></div></div></div></div><div class="col-md-8 docs-content-container"><div><ul class="breadcrumb" itemscope="" itemType="http://schema.org/BreadcrumbList"><li itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a href="/docs"><span class="text" itemProp="name">Docs</span><meta itemProp="position" content="5"/></a></li><li itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a href="https://auth0.com/docs/login"><span class="text" itemProp="name">Login</span><meta itemProp="position" content="5"/></a></li><li itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication"><span class="text" itemProp="name">Adopt OIDC-Conformant Authentication</span><meta itemProp="position" content="5"/></a></li><li itemProp="itemListElement" itemscope="" itemType="http://schema.org/ListItem"><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-rop-flow"><span class="text" itemProp="name">OIDC-Conformant Adoption: Resource Owner Password Flow</span><meta itemProp="position" content="5"/></a></li></ul><article class="docs-content " data-swiftype-name="body" data-swiftype-type="text" data-swiftype-index="true"><div><div><div id="portal-header-wrapper"><div class="headerWrapper--2UXKN" data-react-universal-portal><div class=" tocBar--2h2ft "><h1 class="title--1dLg4">OIDC-Conformant Adoption: Resource Owner Password Flow</h1><div><span role="button" tabindex="0" aria-haspopup="true" aria-expanded="false" class="dropdownButton--3ms3m"><span class="dropdownButtonText--35nCB">In this article</span><i class="dropdownButtonIcon--263xY icon icon-budicon-460"></i></span></div></div></div></div><p>The <a href="https://auth0.com/docs/flows/resource-owner-password-flow">Resource Owner Password Flow</a> is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.</p><p>The OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.</p><div id="portal-title-0"><div id="authentication-request" class="header-wrapper header-level-h2" data-react-universal-portal><h2 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Authentication request</h2></div></div><div id="portal-title-1"><div id="legacy" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Legacy</h3></div></div><p></p><div id="portal-code-block-0"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-text">POST /oauth/ro HTTP 1.1 Content-Type: application/json {   "grant_type": "password",   "client_id": "123",   "username": "alice",   "password": "A3ddj3w",   "connection": "my-database-connection",   "scope": "openid email favorite_color offline_access",   "device": "my-device-name" } </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The <code>device</code> parameter is only needed if <a href="https://auth0.com/docs/tokens/refresh-tokens">requesting a Refresh Token</a> by passing the <code>offline_access</code> scope.</p></li></ul><div id="portal-title-2"><div id="oidc-conformant" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>OIDC-conformant</h3></div></div><p></p><div id="portal-code-block-1"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-text">POST /oauth/token HTTP 1.1 Content-Type: application/x-www-form-urlencoded grant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The endpoint to execute credential exchanges is <code>/oauth/token</code>.</p></li><li><p><a href="https://auth0.com/docs/flows/call-your-api-using-resource-owner-password-flow">Auth0's own grant type</a> is used to authenticate users from a specific connection (<code>realm</code>). The <a href="https://auth0.com/docs/flows/resource-owner-password-flow">standard OIDC password grant</a> is also supported, but it does not accept Auth0-specific parameters such as <code>realm</code>.</p></li><li><p><code>favorite_color</code> is no longer a valid scope.</p></li><li><p>The <code>device</code> parameter is removed.</p></li><li><p>The <code>audience</code> parameter is optional.</p></li></ul><div id="portal-title-3"><div id="authentication-response" class="header-wrapper header-level-h2" data-react-universal-portal><h2 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Authentication response</h2></div></div><div id="portal-title-4"><div id="legacy" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Legacy</h3></div></div><p></p><div id="portal-code-block-2"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-text">HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache {     "access_token": "SlAV32hkKG",     "token_type": "Bearer",     "refresh_token": "8xLOxBtZp8",     "expires_in": 3600,     "id_token": "eyJ..." } </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The returned Access Token is only valid for calling the <a href="https://auth0.com/docs/api/authentication#get-user-info">/userinfo endpoint</a>.</p></li><li><p>A Refresh Token will be returned only if a <code>device</code> parameter was passed and the <code>offline_access</code> scope was requested.</p></li></ul><div id="portal-title-5"><div id="oidc-conformant-" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>OIDC-conformant </h3></div></div><p></p><div id="portal-code-block-3"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-text">HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache {     "access_token": "eyJ...",     "token_type": "Bearer",     "refresh_token": "8xLOxBtZp8",     "expires_in": 3600,     "id_token": "eyJ..." } </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The returned Access Token is valid for calling the <a href="https://auth0.com/docs/api/authentication#get-user-info">/userinfo endpoint</a> (provided that the API specified by the <code>audience</code> param uses <code>RS256</code> as <a href="https://auth0.com/docs/tokens/signing-algorithms">signing algorithm</a>) and optionally the resource server specified by the <code>audience</code> parameter.</p></li><li><p>The ID Token will be forcibly signed using <code>RS256</code> if requested by a <a href="https://auth0.com/docs/applications/confidential-and-public-applications">public application</a>.</p></li><li><p>A Refresh Token will be returned only if the <code>offline_access</code> scope was granted.</p></li></ul><div id="portal-title-6"><div id="id-token-structure" class="header-wrapper header-level-h2" data-react-universal-portal><h2 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>ID Token structure</h2></div></div><div id="portal-title-7"><div id="legacy" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Legacy</h3></div></div><p></p><div id="portal-code-block-4"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-json">{     "sub": "auth0|alice",     "iss": "https://YOUR_DOMAIN/",     "aud": "123",     "exp": 1482809609,     "iat": 1482773609,     "email": "alice@example.com",     "email_verified": true,     "favorite_color": "blue" } </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><div id="portal-title-8"><div id="oidc-conformant" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>OIDC-conformant</h3></div></div><p></p><div id="portal-code-block-5"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-json">{     "sub": "auth0|alice",     "iss": "https://YOUR_DOMAIN/",     "aud": "123",     "exp": 1482809609,     "iat": 1482773609,     "email": "alice@example.com",     "email_verified": true,     "https://app.example.com/favorite_color": "blue" } </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The ID Token will be forcibly signed using <code>RS256</code> if requested by a <a href="https://auth0.com/docs/applications/confidential-and-public-applications">public application</a>.</p></li><li><p>The <code>favorite_color</code> claim must be <a href="https://auth0.com/docs/tokens/create-namespaced-custom-claims">namespaced</a> and added through a rule.</p></li></ul><div id="portal-title-9"><div id="access-token-structure-optional-" class="header-wrapper header-level-h2" data-react-universal-portal><h2 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Access Token structure (optional)</h2></div></div><div id="portal-title-10"><div id="legacy" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Legacy</h3></div></div><p></p><div id="portal-code-block-6"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-json">SlAV32hkKG </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The returned Access Token is opaque and only valid for calling the <a href="https://auth0.com/docs/api/authentication#get-user-info">/userinfo endpoint</a>.</p></li></ul><div id="portal-title-11"><div id="oidc-conformant" class="header-wrapper header-level-h3" data-react-universal-portal><h3 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>OIDC-conformant</h3></div></div><p></p><div id="portal-code-block-7"><div class="codeBlock--2nPRx" data-react-universal-portal><div class="codeSection--l3D_7"><button class="copy-button btn btn-sm overlay--qmJws btn-default"><span class="icon-budicon-338"></span></button><div><pre class="code--2exA6"><code class="language-json">{     "sub": "auth0|alice",     "iss": "https://YOUR_DOMAIN/",     "aud": [         "https://api.example.com",         "https://YOUR_DOMAIN/userinfo"     ],     "azp": "123",     "exp": 1482816809,     "iat": 1482809609,     "scope": "openid email" } </code></pre></div></div><div class="feedback--2WYTe"><div><span>Was this helpful?</span><button class="text--9gWDi">Yes</button><span>/</span><button class="text--9gWDi">No</button></div></div></div></div> <p></p><ul><li><p>The returned Access Token is a JWT valid for calling the <a href="https://auth0.com/docs/api/authentication#get-user-info">/userinfo endpoint</a> (provided that the API specified by the <code>audience</code> parameter uses <code>RS256</code> as <a href="https://auth0.com/docs/tokens/signing-algorithms">signing algorithm</a>) as well as the resource server specified by the <code>audience</code> parameter.</p></li><li><p>Note that an opaque Access Token could still be returned if <code>/userinfo</code> is the only specified audience.</p></li></ul><div id="portal-title-12"><div id="standard-password-grant-requests" class="header-wrapper header-level-h2" data-react-universal-portal><h2 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Standard password grant requests</h2></div></div><p>The Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific <code>realm</code> parameter. The <a href="https://auth0.com/docs/flows/resource-owner-password-flow">standard OIDC flow is also supported</a> when using OIDC authentication.</p><div id="portal-title-13"><div id="keep-reading" class="header-wrapper header-level-h2" data-react-universal-portal><h2 class="anchor-heading"><span class="anchor"><i class="icon icon-budicon-345"></i></span>Keep reading</h2></div></div><ul><li><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-access-tokens">OIDC-Conformant Adoption: Access Tokens</a></li><li><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-apis">OIDC-Conformant Adoption: APIs</a></li><li><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-auth-code-flow">OIDC-Conformant Adoption: Authorization Code Flow</a></li><li><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-client-credentials-flow">OIDC-Conformant Adoption: Client Credentials Flow</a></li><li><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-implicit-flow">OIDC-Conformant Adoption: Implicit Flow</a></li><li><a href="https://auth0.com/docs/login/adopt-oidc-conformant-authentication/oidc-adoption-refresh-tokens">OIDC Conformant Adoption: Refresh Tokens</a></li></ul></div></div></article><div class="articleFooter--2MwGd article-footer"><div><div class="topContent--1beFf"><div><h5 class="title--29FAx">Was this article helpful?</h5><div class="buttons--2INTF"><button class="button--2bLX_ buttonYes--4KXLG btn btn-transparent btn-sm"><span class="buttonIcon--1QKm5 btn-icon icon-budicon-470"></span>Yes</button><button class="button--2bLX_ buttonNo--3pD4h btn btn-transparent btn-sm"><span class="buttonIcon--1QKm5 btn-icon icon-budicon-471"></span>No</button></div></div><div class="suggestions--1C9Np"></div></div></div></div></div></div></div></div></div></div></div></div></div></div><footer class="sc-footer" role="contentinfo"><div class="container"><div class="sc-footer__logo"><img class="sc-footer__logo-image" src="https://cdn.auth0.com/styleguide/components/1.0.8/media/logos/img/badge.png" width="30" alt=""/></div><div class="sc-footer__grid"><div class="sc-footer__column sc-footer__column--grid"><div class="sc-footer__item"><h6 class="sc-footer__title">Product</h6></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/pricing">Pricing</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/why-auth0">Why Auth0</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/how-it-works">How It Works</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/lock">Lock</a></div></div><div class="sc-footer__column sc-footer__column--grid"><div class="sc-footer__item"><h6 class="sc-footer__title">Company</h6></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/about">About Us</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/blog">Blog</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/jobs">Jobs</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/press">Press</a></div></div><div class="sc-footer__column sc-footer__column--grid"><div class="sc-footer__item"><h6 class="sc-footer__title">Learn</h6></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/availability-trust">Availability & Trust</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/security">Security</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/whitehat">White Hat</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/docs/apiv2">API Explorer</a></div></div><div class="sc-footer__column sc-footer__column--grid"><div class="sc-footer__item"><h6 class="sc-footer__title">More</h6></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://support.auth0.com">Help & Support</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/docs/services">Professional Services</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/docs">Documentation</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/opensource">Open Source</a></div><div class="sc-footer__item"><a class="sc-footer__link sc-footer__link--featured" href="https://auth0.com/wordpress">WordPress</a></div></div><div class="sc-footer__column sc-footer__column--contact"><div class="sc-footer__contact-column sc-footer__contact-column--address"><div class="sc-footer__item"><h6 class="sc-footer__title">Contact</h6></div><div class="sc-footer__item sc-footer__item--text">10800 NE 8th Street<br/>Suite 600<br/>Bellevue, WA 98004</div></div><div class="sc-footer__contact-column sc-footer__contact-column--phone"><div class="sc-footer__item sc-footer__item--small"><a class="sc-footer__link sc-footer__phone" href="tel:+18882352699">+1 (888) 235-2699</a></div><div class="sc-footer__item sc-footer__item--small"><a class="sc-footer__link sc-footer__phone" href="tel:+14253126521">+1 (425) 312-6521</a></div><div class="sc-footer__item sc-footer__item--small"><a class="sc-footer__link sc-footer__phone" href="tel:+4403332341966">+44 (0) 33-3234-1966</a></div></div></div></div><div class="sc-footer__colophon"><div class="sc-footer__column"><ul class="list-inline sc-footer__list sc-footer__like-buttons-container"><li class="sc-footer__list-item"><a class="sc-footer__like-buttons__link sc-footer__like-buttons__link--twitter" href="https://twitter.com/auth0" target="_blank" rel="noopener noreferrer"><span class="sc-footer__like-buttons__icon-container"><svg class="sc-footer__like-buttons__icon" viewBox="0 0 72 72"><path fill="none" d="M0 0h72v72H0z"></path><path fill="#fff" d="M68.812 15.14c-2.348 1.04-4.87 1.744-7.52 2.06 2.704-1.62 4.78-4.186 5.757-7.243-2.53 1.5-5.33 2.592-8.314 3.176C56.35 10.59 52.948 9 49.182 9c-7.23 0-13.092 5.86-13.092 13.093 0 1.026.118 2.02.338 2.98C25.543 24.527 15.9 19.318 9.44 11.396c-1.125 1.936-1.77 4.184-1.77 6.58 0 4.543 2.312 8.552 5.824 10.9-2.146-.07-4.165-.658-5.93-1.64-.002.056-.002.11-.002.163 0 6.345 4.513 11.638 10.504 12.84-1.1.298-2.256.457-3.45.457-.845 0-1.666-.078-2.464-.23 1.667 5.2 6.5 8.985 12.23 9.09-4.482 3.51-10.13 5.605-16.26 5.605-1.055 0-2.096-.06-3.122-.184 5.794 3.717 12.676 5.882 20.067 5.882 24.083 0 37.25-19.95 37.25-37.25 0-.565-.013-1.133-.038-1.693 2.558-1.847 4.778-4.15 6.532-6.774z"></path></svg></span><span class="sc-footer__like-buttons__action">Follow</span><span class="sr-only"> us on Twitter, along with </span><span class="sc-footer__like-buttons__counter sr-only">many</span><span class="sr-only"> followers!</span></a></li><li class="sc-footer__list-item"><a class="sc-footer__like-buttons__link sc-footer__like-buttons__link--linkedin" href="https://www.linkedin.com/company/auth0" target="_blank" rel="noopener noreferrer"><span class="sc-footer__like-buttons__icon-container"><svg class="sc-footer__like-buttons__icon" viewBox="0 50 512 512"><path fill="#ffffff" d="M150.65 100.682c0 27.992-22.508 50.683-50.273 50.683-27.765 0-50.273-22.69-50.273-50.683C50.104 72.692 72.612 50 100.377 50c27.766 0 50.273 22.69 50.273 50.682zm-7.356 86.65H58.277V462h85.017V187.333zm135.9 0h-81.54V462h81.54V317.82c0-38.625 17.78-61.616 51.808-61.616 31.268 0 46.29 22.07 46.29 61.615V462h84.604V288.085s-41.69-109.13-99.934-109.13-82.768 45.368-82.768 45.368v-36.99z"></path></svg></span><span class="sc-footer__like-buttons__action">Follow</span><span class="sr-only"> us on LinkedIn, along with </span><span class="sc-footer__like-buttons__counter sr-only">many</span><span class="sr-only"> followers!</span></a></li><li class="sc-footer__list-item"><a class="sc-footer__like-buttons__link sc-footer__like-buttons__link--facebook" href="https://www.facebook.com/getauth0" target="_blank" rel="noopener noreferrer"><span class="sc-footer__like-buttons__icon-container"><svg class="sc-footer__like-buttons__icon" viewBox="0 0 16 16"><path fill="#fff" fill-rule="evenodd" d="M4.55 7c.248 0 .45.234.45.522v5.956c0 .288-.202.522-.45.522h-2.1c-.248 0-.45-.234-.45-.522V7.522C2 7.234 2.202 7 2.45 7h2.1zm1.995 6.2c-.305-.036-.528-.302-.545-.626.017 0 .013-2.906 0-4.43.013-.525.108-1.458.398-1.87.708-1.008 1.205-1.666 1.494-2.048.29-.382.636-.755.646-1.04.013-.384 0-.39 0-.83 0-.44.208-.856.733-.856.257 0 .46.057.65.3.304.356.516.92.516 1.81S9.51 6.173 9.51 6.18h4.037c.618-.004.954.545.954 1.117 0 .536-.364.982-.844 1.057.29.14.5.47.5.852 0 .476-.325.872-.756.94.23.145.375.406.375.702 0 .398-.26.733-.615.813.21.14.346.396.346.685 0 .452-.334.823-.763.857H6.545z"></path></svg></span><span class="sc-footer__like-buttons__action">Like</span><span class="sr-only"> our Facebook page, along with </span><span class="sc-footer__like-buttons__counter sr-only">many</span><span class="sr-only"> people!</span></a></li></ul></div><script src="https://cdn.auth0.com/website/auth0-footer-counters.min.js" async="" defer=""></script><div class="sc-footer__column"><ul class="list-inline text-right sc-footer__list"><li class="sc-footer__list-item"><a class="sc-footer__link" href="https://auth0.com/privacy">Privacy Policy</a></li><li class="sc-footer__list-item"><a class="sc-footer__link" href="https://auth0.com/terms">Terms of Service</a></li><li class="sc-footer__list-item"><span>© 2013-<!-- -->2021<!-- --> Auth0®, Inc. All Rights Reserved.</span></li></ul></div></div></div></footer></div><script>window.App={"context":{"dispatcher":{"stores":{"RouteStore":{"currentNavigate":{"transactionId":8253199876223460,"method":"get","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","route":{"path":"\u002Fdocs\u002F*","method":"get","handler":function StoreConnector(props, context) { React.Component.apply(this, arguments); this.state = this.getStateFromStores(); this._onStoreChange = null; this._isMounted = false; },"action":function loadDocument(context, payload) { var logger = context.getService('LoggingService'); var url = (0, _normalizeUrl.default)(payload.url); var _ref = payload.params || {}, contentfulId = _ref.contentfulId; context.dispatch('DOCUMENT_SELECTED', { url: url }); var success = function success(doc) { if (!doc.meta.quickstart) { context.dispatch('UPDATE_PAGE_METADATA', { pageTitle: doc.meta.title, pageDescription: doc.meta.description }); } if (payload.name === 'article' || payload.name === 'contentful') { context.dispatch('ARTICLE_LOAD_SUCCESS', { url: url, doc: doc }); } context.dispatch('DOCUMENT_LOAD_SUCCESS', { url: url, doc: doc }); logger.debug('Document loaded successfully.', { url: url }); return Promise.resolve(); }; var failure = function failure(err) { context.dispatch('DOCUMENT_LOAD_FAILURE', { url: url, err: err }); logger.warn('Error loading document.', { url: url, err: err }); return Promise.resolve(); }; // First, check to see if the doc has already been loaded. if (!contentfulId || typeof window !== 'undefined') { // contentfulId should reload from the server var doc = context.getStore(_DocumentStore.default).getDocument(url); if (doc) { if (doc.state === _LoadState.default.LOADED) { // If it has been loaded, just return it. return success(doc); } else if (doc.state === _LoadState.default.LOADING) { // If it's already being loaded, don't load it again. return Promise.resolve(); } } } // If the document hasn't been loaded (or a previous load resulted in // an error), try to load it using the DocumentService. context.dispatch('DOCUMENT_LOADING', { url: url }); if (contentfulId) { return context.getService('DocumentService').loadContentfulPreview(contentfulId).then(success).catch(failure); } return context.getService('DocumentService').load(url).then(success).catch(failure); },"name":"article","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","params":{"0":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"},"query":{}},"error":null,"isComplete":true},"routes":null},"ApplicationStore":{"flags":{"framed":false,"singleQuickstart":false},"pageTitle":"OIDC-Conformant Adoption: Resource Owner Password Flow","pageDescription":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","domainUrlApp":"https:\u002F\u002Fmanage.auth0.com","dashboardUrl":"https:\u002F\u002Fmanage.auth0.com\u002F#","domainUrlDocs":"https:\u002F\u002Fauth0.com\u002Fdocs","domainUrlSignup":"https:\u002F\u002Fauth0.com\u002Fsignup?&signUpData=%7B%22category%22%3A%22docs%22%7D"},"QuickstartStore":{"flags":{"framed":false,"singleQuickstart":false},"sidebarItems":[],"breadcrumbs":[],"sidebarBreadcrumbs":[]},"DocumentStore":{"docs":{"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow":{"state":"LOADED","originalHtml":"\u003Cdiv id=\"portal-header-wrapper\"\u003E\u003Cdiv class=\"headerWrapper--2UXKN\" data-react-universal-portal\u003E\u003Cdiv class=\"\n tocBar--2h2ft\n \n \"\u003E\u003Ch1 class=\"title--1dLg4\"\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cdiv\u003E\u003Cspan role=\"button\" tabindex=\"0\" aria-haspopup=\"true\" aria-expanded=\"false\" class=\"dropdownButton--3ms3m\"\u003E\u003Cspan class=\"dropdownButtonText--35nCB\"\u003EIn this article\u003C\u002Fspan\u003E\u003Ci class=\"dropdownButtonIcon--263xY icon icon-budicon-460\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-0\"\u003E\u003Cdiv id=\"authentication-request\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAuthentication request\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-1\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-0\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-2\"\u003E\u003Cdiv id=\"oidc-conformant\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-1\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-3\"\u003E\u003Cdiv id=\"authentication-response\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAuthentication response\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-4\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-2\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-5\"\u003E\u003Cdiv id=\"oidc-conformant-\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-3\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-6\"\u003E\u003Cdiv id=\"id-token-structure\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EID Token structure\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-7\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-4\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-8\"\u003E\u003Cdiv id=\"oidc-conformant\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-5\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-9\"\u003E\u003Cdiv id=\"access-token-structure-optional-\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-10\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-6\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-11\"\u003E\u003Cdiv id=\"oidc-conformant\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-7\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-12\"\u003E\u003Cdiv id=\"standard-password-grant-requests\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-13\"\u003E\u003Cdiv id=\"keep-reading\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EKeep reading\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\"\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\"\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\"\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\"\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\"\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\"\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Cdiv id=\"portal-header-wrapper\"\u003E\u003Cdiv class=\"headerWrapper--2UXKN\" data-react-universal-portal\u003E\u003Cdiv class=\"\n tocBar--2h2ft\n \n \"\u003E\u003Ch1 class=\"title--1dLg4\"\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cdiv\u003E\u003Cspan role=\"button\" tabindex=\"0\" aria-haspopup=\"true\" aria-expanded=\"false\" class=\"dropdownButton--3ms3m\"\u003E\u003Cspan class=\"dropdownButtonText--35nCB\"\u003EIn this article\u003C\u002Fspan\u003E\u003Ci class=\"dropdownButtonIcon--263xY icon icon-budicon-460\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-0\"\u003E\u003Cdiv id=\"authentication-request\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAuthentication request\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-1\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-0\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-2\"\u003E\u003Cdiv id=\"oidc-conformant\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-1\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-3\"\u003E\u003Cdiv id=\"authentication-response\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAuthentication response\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-4\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-2\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-5\"\u003E\u003Cdiv id=\"oidc-conformant-\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-3\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-6\"\u003E\u003Cdiv id=\"id-token-structure\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EID Token structure\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-7\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-4\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-8\"\u003E\u003Cdiv id=\"oidc-conformant\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-5\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-9\"\u003E\u003Cdiv id=\"access-token-structure-optional-\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv id=\"portal-title-10\"\u003E\u003Cdiv id=\"legacy\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-6\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-11\"\u003E\u003Cdiv id=\"oidc-conformant\" class=\"header-wrapper header-level-h3\" data-react-universal-portal\u003E\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cdiv id=\"portal-code-block-7\"\u003E\u003Cdiv class=\"codeBlock--2nPRx\" data-react-universal-portal\u003E\u003Cdiv class=\"codeSection--l3D_7\"\u003E\u003Cbutton class=\"copy-button btn btn-sm overlay--qmJws btn-default\"\u003E\u003Cspan class=\"icon-budicon-338\"\u003E\u003C\u002Fspan\u003E\u003C\u002Fbutton\u003E\u003Cdiv\u003E\u003Cpre class=\"code--2exA6\"\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cdiv class=\"feedback--2WYTe\"\u003E\u003Cdiv\u003E\u003Cspan\u003EWas this helpful?\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003EYes\u003C\u002Fbutton\u003E\u003Cspan\u003E\u002F\u003C\u002Fspan\u003E\u003Cbutton class=\"text--9gWDi\"\u003ENo\u003C\u002Fbutton\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Cdiv id=\"portal-title-12\"\u003E\u003Cdiv id=\"standard-password-grant-requests\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Cdiv id=\"portal-title-13\"\u003E\u003Cdiv id=\"keep-reading\" class=\"header-wrapper header-level-h2\" data-react-universal-portal\u003E\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EKeep reading\u003C\u002Fh2\u003E\u003C\u002Fdiv\u003E\u003C\u002Fdiv\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\"\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\"\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\"\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\"\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\"\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\"\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}],"portals":[{"component":"Title","containerID":"portal-title-0","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAuthentication request\u003C\u002Fh2\u003E","anchor":"authentication-request","tag":"h2","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-1","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E","anchor":"legacy","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-2","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E","anchor":"oidc-conformant","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-3","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAuthentication response\u003C\u002Fh2\u003E","anchor":"authentication-response","tag":"h2","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-4","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E","anchor":"legacy","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-5","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\n\u003C\u002Fh3\u003E","anchor":"oidc-conformant-","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-6","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EID Token structure\u003C\u002Fh2\u003E","anchor":"id-token-structure","tag":"h2","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-7","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E","anchor":"legacy","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-8","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E","anchor":"oidc-conformant","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-9","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E","anchor":"access-token-structure-optional-","tag":"h2","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-10","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003ELegacy\u003C\u002Fh3\u003E","anchor":"legacy","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-11","props":{"children":"\u003Ch3 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EOIDC-conformant\u003C\u002Fh3\u003E","anchor":"oidc-conformant","tag":"h3","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-12","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EStandard password grant requests\u003C\u002Fh2\u003E","anchor":"standard-password-grant-requests","tag":"h2","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"Title","containerID":"portal-title-13","props":{"children":"\u003Ch2 class=\"anchor-heading\"\u003E\u003Cspan class=\"anchor\"\u003E\u003Ci class=\"icon icon-budicon-345\"\u003E\u003C\u002Fi\u003E\u003C\u002Fspan\u003EKeep reading\u003C\u002Fh2\u003E","anchor":"keep-reading","tag":"h2","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"HeaderWrapper","containerID":"portal-header-wrapper","props":{"children":"OIDC-Conformant Adoption: Resource Owner Password Flow","meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-0","props":{"children":"\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E","code":"POST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n \"grant_type\": \"password\",\n \"client_id\": \"123\",\n \"username\": \"alice\",\n \"password\": \"A3ddj3w\",\n \"connection\": \"my-database-connection\",\n \"scope\": \"openid email favorite_color offline_access\",\n \"device\": \"my-device-name\"\n}","tabPaneFooter":"","index":0,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-1","props":{"children":"\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E","code":"POST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com","tabPaneFooter":"","index":1,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-2","props":{"children":"\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E","code":"HTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n \"access_token\": \"SlAV32hkKG\",\n \"token_type\": \"Bearer\",\n \"refresh_token\": \"8xLOxBtZp8\",\n \"expires_in\": 3600,\n \"id_token\": \"eyJ...\"\n}","tabPaneFooter":"","index":2,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-3","props":{"children":"\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E","code":"HTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n \"access_token\": \"eyJ...\",\n \"token_type\": \"Bearer\",\n \"refresh_token\": \"8xLOxBtZp8\",\n \"expires_in\": 3600,\n \"id_token\": \"eyJ...\"\n}","tabPaneFooter":"","index":3,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-4","props":{"children":"\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E","code":"{\n \"sub\": \"auth0|alice\",\n \"iss\": \"https:\u002F\u002F__AUTH0_NAMESPACE__\u002F\",\n \"aud\": \"123\",\n \"exp\": 1482809609,\n \"iat\": 1482773609,\n \"email\": \"alice@example.com\",\n \"email_verified\": true,\n \"favorite_color\": \"blue\"\n}","tabPaneFooter":"","index":4,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-5","props":{"children":"\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E","code":"{\n \"sub\": \"auth0|alice\",\n \"iss\": \"https:\u002F\u002F__AUTH0_NAMESPACE__\u002F\",\n \"aud\": \"123\",\n \"exp\": 1482809609,\n \"iat\": 1482773609,\n \"email\": \"alice@example.com\",\n \"email_verified\": true,\n \"https:\u002F\u002Fapp.example.com\u002Ffavorite_color\": \"blue\"\n}","tabPaneFooter":"","index":5,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-6","props":{"children":"\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E","code":"SlAV32hkKG","tabPaneFooter":"","index":6,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}},{"component":"CodeBlock","containerID":"portal-code-block-7","props":{"children":"\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E","code":"{\n \"sub\": \"auth0|alice\",\n \"iss\": \"https:\u002F\u002F__AUTH0_NAMESPACE__\u002F\",\n \"aud\": [\n \"https:\u002F\u002Fapi.example.com\",\n \"https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo\"\n ],\n \"azp\": \"123\",\n \"exp\": 1482816809,\n \"iat\": 1482809609,\n \"scope\": \"openid email\"\n}","tabPaneFooter":"","index":7,"meta":{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","updatedAt":"2021-01-28T15:03:35.049Z","contentfulId":"5JXMYvnjknzEaznD2eGA8w","description":"Learn how the OIDC-conformant pipeline affects the Resource Owner Password (ROP) Flow.","hash":"oidc-adoption-rop-flow","sections":["api-auth"],"tags":["api","authentication"],"toc":true,"public":true,"parent":"5X6PoWErJuO1unXQymQsu3","referenceLinks":["1aVmfHyl6J9sgW9bY4H9mz","2b43QF99O5DWhPuJq5UPMk","1jQxLbljPw95SOQ9b5eMNT","zf6MWe0cMJD5RXmjvcAmJ","1NeSYRzXAhbiSnR65EqmGP","ZWdNStrJeMdNwqQa78E0O"],"content":"\u003Ch1\u003EOIDC-Conformant Adoption: Resource Owner Password Flow\u003C\u002Fh1\u003E\u003Cp\u003EThe \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003EResource Owner Password Flow\u003C\u002Fa\u003E is used by highly-trusted applications to provide active authentication. Unlike the authorization code and implicit grants, this authentication mechanism does not redirect users to Auth0. It authenticates users with a single request, exchanging their password credentials for a token.\u003C\u002Fp\u003E\u003Cp\u003EThe OIDC-conformant pipeline affects the Resource Owner Password Flow in the following areas: authentication request, authentication response, ID token structure, and access token structure.\u003C\u002Fp\u003E\u003Ch2\u003EAuthentication request\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Fro HTTP 1.1\nContent-Type: application\u002Fjson\n{\n  "grant_type": "password",\n  "client_id": "123",\n  "username": "alice",\n  "password": "A3ddj3w",\n  "connection": "my-database-connection",\n  "scope": "openid email favorite_color offline_access",\n  "device": "my-device-name"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is only needed if \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Frefresh-tokens\"\u003Erequesting a Refresh Token\u003C\u002Fa\u003E by passing the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EPOST \u002Foauth\u002Ftoken HTTP 1.1\nContent-Type: application\u002Fx-www-form-urlencoded\ngrant_type=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fpassword-realm&client_id=123&username=alice&password=A3ddj3w&realm=my-database-connection&scope=openid+email+offline_access&audience=https%3A%2F%2Fapi.example.com\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe endpoint to execute credential exchanges is \u003Ccode\u003E\u002Foauth\u002Ftoken\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fcall-your-api-using-resource-owner-password-flow\"\u003EAuth0's own grant type\u003C\u002Fa\u003E is used to authenticate users from a specific connection (\u003Ccode\u003Erealm\u003C\u002Fcode\u003E). The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC password grant\u003C\u002Fa\u003E is also supported, but it does not accept Auth0-specific parameters such as \u003Ccode\u003Erealm\u003C\u002Fcode\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003E\u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E is no longer a valid scope.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter is removed.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter is optional.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAuthentication response\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "SlAV32hkKG",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if a \u003Ccode\u003Edevice\u003C\u002Fcode\u003E parameter was passed and the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was requested.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\n\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-text\"\u003EHTTP\u002F1.1 200 OK\nContent-Type: application\u002Fjson\nCache-Control: no-store\nPragma: no-cache\n{\n    "access_token": "eyJ...",\n    "token_type": "Bearer",\n    "refresh_token": "8xLOxBtZp8",\n    "expires_in": 3600,\n    "id_token": "eyJ..."\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E param uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) and optionally the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EA Refresh Token will be returned only if the \u003Ccode\u003Eoffline_access\u003C\u002Fcode\u003E scope was granted.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EID Token structure\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "favorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": "123",\n    "exp": 1482809609,\n    "iat": 1482773609,\n    "email": "alice@example.com",\n    "email_verified": true,\n    "https:\u002F\u002Fapp.example.com\u002Ffavorite_color": "blue"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe ID Token will be forcibly signed using \u003Ccode\u003ERS256\u003C\u002Fcode\u003E if requested by a \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapplications\u002Fconfidential-and-public-applications\"\u003Epublic application\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003EThe \u003Ccode\u003Efavorite_color\u003C\u002Fcode\u003E claim must be \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims\"\u003Enamespaced\u003C\u002Fa\u003E and added through a rule.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EAccess Token structure (optional)\u003C\u002Fh2\u003E\u003Ch3\u003ELegacy\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003ESlAV32hkKG\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is opaque and only valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch3\u003EOIDC-conformant\u003C\u002Fh3\u003E\u003Cp\u003E\u003C\u002Fp\u003E\u003Cpre\u003E\u003Ccode class=\"language-json\"\u003E{\n    "sub": "auth0|alice",\n    "iss": "https:\u002F\u002F__AUTH0_NAMESPACE__\u002F",\n    "aud": [\n        "https:\u002F\u002Fapi.example.com",\n        "https:\u002F\u002F__AUTH0_NAMESPACE__\u002Fuserinfo"\n    ],\n    "azp": "123",\n    "exp": 1482816809,\n    "iat": 1482809609,\n    "scope": "openid email"\n}\n\u003C\u002Fcode\u003E\u003C\u002Fpre\u003E\n\u003Cp\u003E\u003C\u002Fp\u003E\u003Cul\u003E\u003Cli\u003E\u003Cp\u003EThe returned Access Token is a JWT valid for calling the \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fapi\u002Fauthentication#get-user-info\"\u003E\u002Fuserinfo endpoint\u003C\u002Fa\u003E (provided that the API specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter uses \u003Ccode\u003ERS256\u003C\u002Fcode\u003E as \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Ftokens\u002Fsigning-algorithms\"\u003Esigning algorithm\u003C\u002Fa\u003E) as well as the resource server specified by the \u003Ccode\u003Eaudience\u003C\u002Fcode\u003E parameter.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Cp\u003ENote that an opaque Access Token could still be returned if \u003Ccode\u003E\u002Fuserinfo\u003C\u002Fcode\u003E is the only specified audience.\u003C\u002Fp\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E\u003Ch2\u003EStandard password grant requests\u003C\u002Fh2\u003E\u003Cp\u003EThe Auth0 password realm grant is not defined by standard OIDC, but it is suggested as an alternative to the legacy resource owner endpoint because it supports the Auth0-specific \u003Ccode\u003Erealm\u003C\u002Fcode\u003E parameter. The \u003Ca href=\"https:\u002F\u002Fauth0.com\u002Fdocs\u002Fflows\u002Fresource-owner-password-flow\"\u003Estandard OIDC flow is also supported\u003C\u002Fa\u003E when using OIDC authentication.\u003C\u002Fp\u003E\u003Ch2\u003EKeep reading\u003C\u002Fh2\u003E\u003Cul\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens\u003EOIDC-Conformant Adoption: Access Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis\u003EOIDC-Conformant Adoption: APIs\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow\u003EOIDC-Conformant Adoption: Authorization Code Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow\u003EOIDC-Conformant Adoption: Client Credentials Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow\u003EOIDC-Conformant Adoption: Implicit Flow\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003Cli\u003E\u003Ca href=https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens\u003EOIDC Conformant Adoption: Refresh Tokens\u003C\u002Fa\u003E\u003C\u002Fli\u003E\u003C\u002Ful\u003E","sitemap":true,"breadcrumbs":[{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","routeName":"article","section":"articles","titles":[{"content":"Authentication request","anchor":"authentication-request","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Authentication response","anchor":"authentication-response","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"ID Token structure","anchor":"id-token-structure","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Access Token structure (optional)","anchor":"access-token-structure-optional-","level":2},{"content":"Legacy","anchor":"legacy","level":3},{"content":"OIDC-conformant","anchor":"oidc-conformant","level":3},{"content":"Standard password grant requests","anchor":"standard-password-grant-requests","level":2}]}}}]}}},"user":{"isAuthenticated":false,"account":{"userName":"","appName":"YOUR_APP_NAME","tenant":"YOUR_TENANT","namespace":"YOUR_DOMAIN","clientId":"YOUR_CLIENT_ID","clientSecret":"YOUR_CLIENT_SECRET","callback":"https:\u002F\u002FYOUR_APP\u002Fcallback"},"connectionName":"YOUR_CONNECTION_NAME","apiIdentifier":"YOUR_API_IDENTIFIER","manage_url":"https:\u002F\u002Fmanage.auth0.com\u002F#","userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"YOUR_CLIENT_ID","selectedApiId":"YOUR_API_IDENTIFIER","clientsSortedByType":{}},"profile":{}},"userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"YOUR_CLIENT_ID","selectedApiId":"YOUR_API_IDENTIFIER","clientsSortedByType":{}}},"UserStore":{"user":{"isAuthenticated":false,"account":{"userName":"","appName":"YOUR_APP_NAME","tenant":"YOUR_TENANT","namespace":"YOUR_DOMAIN","clientId":"YOUR_CLIENT_ID","clientSecret":"YOUR_CLIENT_SECRET","callback":"https:\u002F\u002FYOUR_APP\u002Fcallback"},"connectionName":"YOUR_CONNECTION_NAME","apiIdentifier":"YOUR_API_IDENTIFIER","manage_url":"https:\u002F\u002Fmanage.auth0.com\u002F#","userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"YOUR_CLIENT_ID","selectedApiId":"YOUR_API_IDENTIFIER","clientsSortedByType":{}},"profile":{}},"profile":{},"userResources":{"nonGlobalClients":[],"nonGlobalApis":[],"selectedClientId":"YOUR_CLIENT_ID","selectedApiId":"YOUR_API_IDENTIFIER","clientsSortedByType":{}}},"NavigationStore":{"navigation":{"sections":[{"id":"articles","title":"Articles","url":"\u002Fdocs\u002Fget-started","folder":"","default":true},{"id":"quickstarts","title":"Quickstarts","url":"\u002Fdocs\u002Fquickstarts","folder":"quickstart"},{"id":"apis","title":"Auth0 APIs","url":"\u002Fdocs\u002Fapi","folder":"api"},{"id":"libraries","title":"Libraries","url":"\u002Fdocs\u002Flibraries","folder":"libraries"},{"id":"videos","title":"Videos","url":"\u002Fdocs\u002Fvideos","folder":"videos"},{"id":"identity-labs","title":"Identity Labs","url":"\u002Fdocs\u002Fidentity-labs","folder":"identity-labs"}],"sidebar":{"articles":[{"title":"Get Started","url":"\u002Fdocs\u002Fget-started","children":[{"title":"Auth0 Overview","url":"\u002Fdocs\u002Fget-started","isActiveUrl":false},{"title":"Dashboard Overview","url":"\u002Fdocs\u002Fget-started\u002Fdashboard","isActiveUrl":false},{"title":"Create Tenants","url":"\u002Fdocs\u002Fget-started\u002Flearn-the-basics","isActiveUrl":false},{"title":"Register Applications","url":"\u002Fdocs\u002Fapplications\u002Fset-up-an-application","isActiveUrl":false},{"title":"Register APIs","url":"\u002Fdocs\u002Fget-started\u002Fset-up-apis","isActiveUrl":false},{"title":"Set Up Multiple Environments","url":"\u002Fdocs\u002Fdev-lifecycle\u002Fset-up-multiple-environments","hidden":true,"isActiveUrl":false},{"title":"Authentication and Authorization","url":"\u002Fdocs\u002Fget-started\u002Fauthentication-and-authorization","isActiveUrl":false},{"title":"Glossary","url":"\u002Fdocs\u002Fglossary","isActiveUrl":false}],"isActiveUrl":false},{"title":"Architecture Scenarios","url":"\u002Fdocs\u002Farchitecture-scenarios","children":[{"title":"Business to Consumer","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c","children":[{"title":"Architecture","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Farchitecture","isActiveUrl":false},{"title":"Provisioning","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fprovisioning","isActiveUrl":false},{"title":"Authentication","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fauthentication","isActiveUrl":false},{"title":"Branding","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fbranding","isActiveUrl":false},{"title":"Deployment Automation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fdeployment","isActiveUrl":false},{"title":"Quality Assurance","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fquality-assurance","isActiveUrl":false},{"title":"Profile Management","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fprofile-management","isActiveUrl":false},{"title":"Authorization","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Fauthorization","isActiveUrl":false},{"title":"Logout","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Flogout","isActiveUrl":false},{"title":"Operations","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Foperations","isActiveUrl":false},{"title":"Launch Preparation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2c\u002Flaunch","isActiveUrl":false}],"isActiveUrl":false},{"title":"Business to Business","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b","children":[{"title":"Architecture","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Farchitecture","isActiveUrl":false},{"title":"Provisioning","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fprovisioning","isActiveUrl":false},{"title":"Authentication","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fauthentication","isActiveUrl":false},{"title":"Branding","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fbranding","isActiveUrl":false},{"title":"Deployment Automation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fdeployment","isActiveUrl":false},{"title":"Quality Assurance","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fquality-assurance","isActiveUrl":false},{"title":"Profile Management","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fprofile-management","isActiveUrl":false},{"title":"Authorization","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Fauthorization","isActiveUrl":false},{"title":"Logout","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Flogout","isActiveUrl":false},{"title":"Operations","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Foperations","isActiveUrl":false},{"title":"Launch Preparation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2b\u002Flaunch","isActiveUrl":false}],"isActiveUrl":false},{"title":"Business to Employees","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fb2e","isActiveUrl":false},{"title":"SSO for Regular Web Apps","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fweb-app-sso","children":[{"title":"Solution Overview","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fweb-app-sso\u002Fpart-1","isActiveUrl":false},{"title":"Configuration","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fweb-app-sso\u002Fpart-2","isActiveUrl":false},{"title":"Implementation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fweb-app-sso\u002Fpart-3","isActiveUrl":false},{"title":"Conclusion","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fweb-app-sso\u002Fpart-4","isActiveUrl":false}],"isActiveUrl":false},{"title":"Multiple Organization Architecture","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture","children":[{"title":"Single Identity Provider Organizations","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations","children":[{"title":"Provisioning","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations\u002Fprovisioning","isActiveUrl":false},{"title":"Authentication","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations\u002Fauthentication","isActiveUrl":false},{"title":"Branding","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations\u002Fbranding","isActiveUrl":false},{"title":"Authorization","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations\u002Fauthorization","isActiveUrl":false},{"title":"Profile Management","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations\u002Fprofile-management","isActiveUrl":false},{"title":"Logout","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fsingle-identity-provider-organizations\u002Flogout","isActiveUrl":false}],"isActiveUrl":false},{"title":"Multiple Identity Provider Organizations","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmultiple-organization-architecture\u002Fusers-isolated-by-organization\u002Fmultiple-identity-provider-organizations","isActiveUrl":false}],"isActiveUrl":false},{"title":"Server Application + API","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fserver-api","children":[{"title":"Solution Overview","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fserver-api\u002Fpart-1","isActiveUrl":false},{"title":"Configuration","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fserver-api\u002Fpart-2","isActiveUrl":false},{"title":"Implementation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fserver-api\u002Fpart-3","isActiveUrl":false},{"title":"Conclusion","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fserver-api\u002Fpart-4","isActiveUrl":false}],"isActiveUrl":false},{"title":"SPA + API","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fspa-api","children":[{"title":"Solution Overview","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-1","isActiveUrl":false},{"title":"Configuration","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-2","isActiveUrl":false},{"title":"Implementation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-3","isActiveUrl":false},{"title":"Conclusion","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fspa-api\u002Fpart-4","isActiveUrl":false}],"isActiveUrl":false},{"title":"Mobile + API","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmobile-api","children":[{"title":"Solution Overview","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-1","isActiveUrl":false},{"title":"Configuration","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-2","isActiveUrl":false},{"title":"Implementation","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-3","isActiveUrl":false},{"title":"Conclusion","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fmobile-api\u002Fpart-4","isActiveUrl":false}],"isActiveUrl":false},{"title":"Implementation Checklists","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fchecklists","isActiveUrl":false},{"title":"Implementation Resources","url":"\u002Fdocs\u002Farchitecture-scenarios\u002Fimplementation-resources","isActiveUrl":false}],"isActiveUrl":false},{"title":"Deploy","url":"\u002Fdocs\u002Fdeploy","children":[{"title":"Deployment Options","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-options","isActiveUrl":false},{"title":"Deployment Checklist","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-checklist","isActiveUrl":false},{"title":"Pre-Deployment","url":"\u002Fdocs\u002Fdeploy\u002Fpre-deployment","children":[{"title":"Run Production Checks","url":"\u002Fdocs\u002Fdeploy\u002Fpre-deployment\u002Fhow-to-run-production-checks","isActiveUrl":false},{"title":"Pre-Launch Tips","url":"\u002Fdocs\u002Fdeploy\u002Fpre-deployment\u002Fpre-launch-tips","isActiveUrl":false}],"isActiveUrl":false},{"title":"Deploy CLI Tool","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool","children":[{"title":"Install Deploy CLI","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Finstall-and-configure-the-deploy-cli-tool","isActiveUrl":false},{"title":"Call Deploy CLI","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Fcall-deploy-cli-tool-programmatically","isActiveUrl":false},{"title":"Incorporate into Build Environment","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Fincorporate-deploy-cli-into-build-environment","isActiveUrl":false},{"title":"Import\u002FExport Directory Structure","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Fimport-export-tenant-configuration-to-directory-structure","isActiveUrl":false},{"title":"Import\u002FExport YAML File","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Fimport-export-tenant-configuration-to-yaml-file","isActiveUrl":false},{"title":"Environment Variables","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Fenvironment-variables-and-keyword-mappings","isActiveUrl":false},{"title":"Deploy CLI Options","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Fdeploy-cli-tool-options","isActiveUrl":false},{"title":"What's New","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli\u002Freferences\u002Fwhats-new","hidden":true,"isActiveUrl":false},{"title":"Troubleshoot Deploy CLI","url":"\u002Fdocs\u002Fdeploy\u002Fdeploy-cli-tool\u002Ftroubleshoot-the-deploy-cli-tool","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Private Cloud Options","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud","children":[{"title":"Onboarding","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-onboarding","children":[{"title":"Infrastructure Requirements","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-onboarding\u002Fcustomer-hosted-managed-private-cloud-infrastructure-requirements","hidden":true,"isActiveUrl":false},{"title":"IP\u002FDomain and Port List","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-onboarding\u002Fprivate-cloud-ip-domain-and-port-list","hidden":true,"isActiveUrl":false},{"title":"Remote Access Options","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-onboarding\u002Fprivate-cloud-remote-access-options","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Operations","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-operations","isActiveUrl":false},{"title":"Migrations","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-migrations","children":[{"title":"Public to Private","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-migrations\u002Fmigrate-from-public-cloud-to-private-cloud","hidden":true,"isActiveUrl":false},{"title":"Performance to Performance Plus","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-migrations\u002Fmigrate-from-standard-private-cloud-to-managed-private-cloud","hidden":true,"isActiveUrl":false},{"title":"Custom Domains","url":"\u002Fdocs\u002Fdeploy\u002Fprivate-cloud\u002Fprivate-cloud-migrations\u002Fmigrate-private-cloud-custom-domains","hidden":true,"isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Login","url":"\u002Fdocs\u002Flogin","children":[{"title":"Universal Login","url":"\u002Fdocs\u002Funiversal-login","children":[{"title":"New Experience","url":"\u002Fdocs\u002Funiversal-login\u002Fnew-experience","isActiveUrl":false},{"title":"Classic Experience","url":"\u002Fdocs\u002Funiversal-login\u002Fclassic-experience","isActiveUrl":false},{"title":"Password Reset","url":"\u002Fdocs\u002Funiversal-login\u002Fcustomize-password-reset-page","isActiveUrl":false},{"title":"Multi-factor Authentication","url":"\u002Fdocs\u002Funiversal-login\u002Fclassic-experience\u002Fmfa-classic-experience","isActiveUrl":false},{"title":"Passwordless","url":"\u002Fdocs\u002Funiversal-login\u002Fconfigure-universal-login-with-passwordless","isActiveUrl":false},{"title":"Identifier-First Authentication","url":"\u002Fdocs\u002Funiversal-login\u002Fidentifier-first","isActiveUrl":false},{"title":"Error Pages","url":"\u002Fdocs\u002Funiversal-login\u002Ferror-pages","isActiveUrl":false},{"title":"Text Customization","url":"\u002Fdocs\u002Funiversal-login\u002Fnew-experience\u002Ftext-customization-new-universal-login","isActiveUrl":false},{"title":"Default Login URL","url":"\u002Fdocs\u002Funiversal-login\u002Fconfigure-default-login-routes","isActiveUrl":false},{"title":"Version Control","url":"\u002Fdocs\u002Funiversal-login\u002Fversion-control-universal-login-pages","isActiveUrl":false}],"isActiveUrl":false},{"title":"Universal vs. Embedded Login","url":"\u002Fdocs\u002Funiversal-login\u002Funiversal-vs-embedded-login","isActiveUrl":false},{"title":"Embedded Login","url":"\u002Fdocs\u002Flogin\u002Fembedded-login","children":[{"title":"Lock for Web","url":"\u002Fdocs\u002Flibraries\u002Flock","isActiveUrl":false},{"title":"Auth0.js","url":"\u002Fdocs\u002Flibraries\u002Fauth0js","isActiveUrl":false},{"title":"Cross-Origin Authentication","url":"\u002Fdocs\u002Flogin\u002Fembedded-login\u002Fcross-origin-authentication","isActiveUrl":false}],"isActiveUrl":false},{"title":"Authentication Flows","url":"\u002Fdocs\u002Fflows","children":[{"title":"Regular Web App","url":"\u002Fdocs\u002Fflows\u002Fadd-login-auth-code-flow","isActiveUrl":false},{"title":"Single-Page App","url":"\u002Fdocs\u002Fflows\u002Fadd-login-using-the-implicit-flow-with-form-post","isActiveUrl":false},{"title":"Native App","url":"\u002Fdocs\u002Fflows\u002Fadd-login-using-the-authorization-code-flow-with-pkce","isActiveUrl":false}],"isActiveUrl":false},{"title":"Authenticate Single-Page Apps with Cookies","url":"\u002Fdocs\u002Fsessions\u002Fcookies\u002Fspa-authenticate-with-cookies","isActiveUrl":false},{"title":"Multi-factor Authentication","url":"\u002Fdocs\u002Fmfa","children":[{"title":"Factors","url":"\u002Fdocs\u002Fmfa\u002Fmfa-factors","isActiveUrl":false},{"title":"Enable MFA","url":"\u002Fdocs\u002Fmfa\u002Fenable-mfa","isActiveUrl":false},{"title":"Adaptive MFA","url":"\u002Fdocs\u002Fmfa\u002Fadaptive-mfa","children":[{"title":"Enable Adaptive MFA","url":"\u002Fdocs\u002Fmfa\u002Fadaptive-mfa\u002Fenable-adaptive-mfa","hidden":true,"isActiveUrl":false},{"title":"Customize Adaptive MFA","url":"\u002Fdocs\u002Fmfa\u002Fadaptive-mfa\u002Fadaptive-mfa-rule-actions","hidden":true,"isActiveUrl":false},{"title":"Adaptive MFA Log Events","url":"\u002Fdocs\u002Fmfa\u002Fadaptive-mfa\u002Fadaptive-mfa-log-events","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Guardian","url":"\u002Fdocs\u002Fmfa\u002Fauth0-guardian","children":[{"title":"Create Custom Enrollment Ticket","url":"\u002Fdocs\u002Fmfa\u002Fauth0-guardian\u002Fcreate-custom-enrollment-tickets","hidden":true,"isActiveUrl":false},{"title":"Install Guardian SDK","url":"\u002Fdocs\u002Fmfa\u002Fauth0-guardian\u002Finstall-guardian-sdk","hidden":true,"isActiveUrl":false},{"title":"Guardian for Android SDK","url":"\u002Fdocs\u002Fmfa\u002Fauth0-guardian\u002Fguardian-for-android-sdk","hidden":true,"isActiveUrl":false},{"title":"Guardian for iOS SDK","url":"\u002Fdocs\u002Fmfa\u002Fauth0-guardian\u002Fguardian-for-ios-sdk","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Customize MFA","url":"\u002Fdocs\u002Fmfa\u002Fcustomize-mfa-user-pages","isActiveUrl":false},{"title":"Reset MFA","url":"\u002Fdocs\u002Fmfa\u002Freset-user-mfa","isActiveUrl":false},{"title":"Step-up Authentication","url":"\u002Fdocs\u002Fmfa\u002Fstep-up-authentication","children":[{"title":"For APIs","url":"\u002Fdocs\u002Fmfa\u002Fstep-up-authentication\u002Fconfigure-step-up-authentication-for-apis","hidden":true,"isActiveUrl":false},{"title":"For Web Apps","url":"\u002Fdocs\u002Fmfa\u002Fstep-up-authentication\u002Fconfigure-step-up-authentication-for-web-apps","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"MFA Developer Resources","url":"\u002Fdocs\u002Fmfa\u002Fmfa-developer-resources","children":[{"title":"MFA Theme Language Dictionary","url":"\u002Fdocs\u002Fmfa\u002Fcustomize-mfa-user-pages\u002Fmfa-theme-language-dictionary","hidden":true,"isActiveUrl":false},{"title":"MFA Widget Theme Options","url":"\u002Fdocs\u002Fmfa\u002Fcustomize-mfa-user-pages\u002Fmfa-widget-theme-options","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Troubleshoot MFA","url":"\u002Fdocs\u002Fmfa\u002Ftroubleshoot-mfa-issues","isActiveUrl":false}],"isActiveUrl":false},{"title":"Silent Authentication","url":"\u002Fdocs\u002Fauthorization\u002Fconfigure-silent-authentication","isActiveUrl":false},{"title":"Redirect After Login","url":"\u002Fdocs\u002Fusers\u002Fredirect-users-after-login","isActiveUrl":false},{"title":"Logout","url":"\u002Fdocs\u002Flogout","children":[{"title":"Apps","url":"\u002Fdocs\u002Flogout\u002Flog-users-out-of-applications","isActiveUrl":false},{"title":"Auth0","url":"\u002Fdocs\u002Flogout\u002Flog-users-out-of-auth0","isActiveUrl":false},{"title":"Identity Providers","url":"\u002Fdocs\u002Flogout\u002Flog-users-out-of-idps","isActiveUrl":false},{"title":"SAML Identity Providers","url":"\u002Fdocs\u002Flogout\u002Flog-users-out-of-saml-idps","isActiveUrl":false},{"title":"Redirect After Logout","url":"\u002Fdocs\u002Flogout\u002Fredirect-users-after-logout","isActiveUrl":false}],"isActiveUrl":false},{"title":"Adopt OIDC Conformant Auth","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","children":[{"title":"APIs","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-apis","isActiveUrl":false},{"title":"Access Tokens","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-access-tokens","isActiveUrl":false},{"title":"Authorization Code Flow","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-auth-code-flow","isActiveUrl":false},{"title":"Client Credentials Flow","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-client-credentials-flow","isActiveUrl":false},{"title":"Delegation","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-delegation","isActiveUrl":false},{"title":"Implicit Flow","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-implicit-flow","isActiveUrl":false},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-refresh-tokens","isActiveUrl":false},{"title":"Resource Owner Password Flow","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","isActiveUrl":true},{"title":"Single Sign-On","url":"\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-sso","isActiveUrl":false}],"isActiveUrl":true}],"isActiveUrl":true},{"title":"Connections","url":"\u002Fdocs\u002Fconnections","children":[{"title":"Social Identity Providers","url":"\u002Fdocs\u002Fconnections\u002Fidentity-providers-social","isActiveUrl":false},{"title":"Enterprise Identity Providers","url":"\u002Fdocs\u002Fconnections\u002Fidentity-providers-enterprise","isActiveUrl":false},{"title":"Legal Identity Providers","url":"\u002Fdocs\u002Fconnections\u002Fidentity-providers-legal","isActiveUrl":false},{"title":"Database","url":"\u002Fdocs\u002Fconnections\u002Fdatabase","children":[{"title":"Auth0 User Store","url":"\u002Fdocs\u002Fconnections\u002Fdatabase#using-the-auth0-user-store","isActiveUrl":false},{"title":"Your User Store","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fcustom-db","children":[{"title":"Overview","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fcustom-db\u002Foverview-custom-db-connections","hidden":true,"isActiveUrl":false},{"title":"Create Connections","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fcustom-db\u002Fcreate-db-connections","hidden":true,"isActiveUrl":false},{"title":"Scripts","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fcustom-db\u002Ftemplates","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Password Policies","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fpassword-options","isActiveUrl":false},{"title":"Password Strength","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fpassword-strength","isActiveUrl":false}],"isActiveUrl":false},{"title":"Pass Parameters to Identity Providers","url":"\u002Fdocs\u002Fconnections\u002Fpass-parameters-to-idps","isActiveUrl":false},{"title":"Passwordless","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless","children":[{"title":"Authentication Factors","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless","children":[{"title":"Email","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Femail-otp","isActiveUrl":false},{"title":"Magic Link","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Femail-magic-link","isActiveUrl":false},{"title":"SMS","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Fsms-otp","isActiveUrl":false}],"isActiveUrl":false},{"title":"Universal Login","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Funiversal-login","isActiveUrl":false},{"title":"Embedded Login","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Fembedded-login","children":[{"title":"Passwordless APIs","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Freference\u002Frelevant-api-endpoints","isActiveUrl":false},{"title":"Native Apps","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Fembedded-login-native","isActiveUrl":false},{"title":"Web Apps","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Fembedded-login-webapps","isActiveUrl":false},{"title":"SPAs","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Fembedded-login-spa","isActiveUrl":false}],"isActiveUrl":false},{"title":"Best Practices","url":"\u002Fdocs\u002Fconnections\u002Fpasswordless\u002Fguides\u002Fbest-practices","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Organizations","url":"\u002Fdocs\u002Forganizations","children":[{"title":"Create Your First Organization","url":"\u002Fdocs\u002Forganizations\u002Fcreate-first-organization","isActiveUrl":false},{"title":"Custom Development","url":"\u002Fdocs\u002Forganizations\u002Fcustom-development","isActiveUrl":false},{"title":"Work with Multiple Tenants","url":"\u002Fdocs\u002Forganizations\u002Fusing-multiple-tenants","hidden":true,"isActiveUrl":false},{"title":"Work with Tokens","url":"\u002Fdocs\u002Forganizations\u002Fusing-tokens","isActiveUrl":false},{"title":"Configure Organizations","url":"\u002Fdocs\u002Forganizations\u002Fconfigure-organizations","children":[{"title":"Create Organizations","url":"\u002Fdocs\u002Forganizations\u002Fcreate-organizations","isActiveUrl":false},{"title":"Delete Organizations","url":"\u002Fdocs\u002Forganizations\u002Fdelete-organizations","isActiveUrl":false},{"title":"Define Organization Behavior","url":"\u002Fdocs\u002Forganizations\u002Fdefine-organization-behavior","isActiveUrl":false},{"title":"Enable Connections","url":"\u002Fdocs\u002Forganizations\u002Fenable-connections","isActiveUrl":false},{"title":"Disable Connections","url":"\u002Fdocs\u002Forganizations\u002Fdisable-connections","isActiveUrl":false},{"title":"Invite Members","url":"\u002Fdocs\u002Forganizations\u002Finvite-members","isActiveUrl":false},{"title":"Send Membership Invitations","url":"\u002Fdocs\u002Forganizations\u002Fsend-membership-invitations","isActiveUrl":false},{"title":"Grant Just-In-Time Membership","url":"\u002Fdocs\u002Forganizations\u002Fgrant-just-in-time-membership","isActiveUrl":false},{"title":"Assign Members Directly","url":"\u002Fdocs\u002Forganizations\u002Fassign-members","isActiveUrl":false},{"title":"Remove Members Directly","url":"\u002Fdocs\u002Forganizations\u002Fremove-members","isActiveUrl":false},{"title":"Add Roles to Members","url":"\u002Fdocs\u002Forganizations\u002Fadd-member-roles","isActiveUrl":false},{"title":"Remove Roles from Members","url":"\u002Fdocs\u002Forganizations\u002Fremove-member-roles","isActiveUrl":false},{"title":"Retrieve Organizations","url":"\u002Fdocs\u002Forganizations\u002Fretrieve-organizations","isActiveUrl":false},{"title":"Retrieve Connections","url":"\u002Fdocs\u002Forganizations\u002Fretrieve-connections","isActiveUrl":false},{"title":"Retrieve Members","url":"\u002Fdocs\u002Forganizations\u002Fretrieve-members","isActiveUrl":false},{"title":"Retrieve User's Membership","url":"\u002Fdocs\u002Forganizations\u002Fretrieve-user-membership","isActiveUrl":false},{"title":"Retrieve Member Roles","url":"\u002Fdocs\u002Forganizations\u002Fretrieve-member-roles","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Authorization","url":"\u002Fdocs\u002Fauthorization","children":[{"title":"Authorization Flows","url":"\u002Fdocs\u002Fflows","children":[{"title":"Authorization Code","url":"\u002Fdocs\u002Fflows\u002Fcall-your-api-using-the-authorization-code-flow","isActiveUrl":false},{"title":"Authorization Code with PKCE","url":"\u002Fdocs\u002Fflows\u002Fcall-your-api-using-the-authorization-code-flow-with-pkce","isActiveUrl":false},{"title":"Client Credentials","url":"\u002Fdocs\u002Fflows\u002Fcall-your-api-using-the-client-credentials-flow","isActiveUrl":false},{"title":"Device Authorization","url":"\u002Fdocs\u002Fflows\u002Fcall-your-api-using-the-device-authorization-flow","isActiveUrl":false},{"title":"Hybrid","url":"\u002Fdocs\u002Fflows\u002Fcall-api-hybrid-flow","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Role-based Access Control (RBAC)","url":"\u002Fdocs\u002Fauthorization\u002Frbac","isActiveUrl":false},{"title":"Authorization Policies","url":"\u002Fdocs\u002Fauthorization\u002Fauthorization-policies","isActiveUrl":false},{"title":"Rules for Authorization Policies","url":"\u002Fdocs\u002Fauthorization\u002Frules-for-authorization-policies","isActiveUrl":false},{"title":"Sample Use Cases - RBAC","url":"\u002Fdocs\u002Fauthorization\u002Fsample-use-cases-role-based-access-control","isActiveUrl":false},{"title":"Sample Use Cases - Rules","url":"\u002Fdocs\u002Fauthorization\u002Fsample-use-cases-rules-with-authorization","isActiveUrl":false},{"title":"Authz Core vs. Authz Extension","url":"\u002Fdocs\u002Fauthorization\u002Fauthorization-core-vs-authorization-extension","isActiveUrl":false},{"title":"How to Configure Core RBAC","url":"\u002Fdocs\u002Fauthorization\u002Fhow-to-use-auth0s-core-authorization-feature-set","children":[{"title":"Manage Roles","url":"\u002Fdocs\u002Fauthorization\u002Frbac\u002Froles","isActiveUrl":false},{"title":"Manage RBAC Users","url":"\u002Fdocs\u002Fauthorization\u002Frbac-users","isActiveUrl":false},{"title":"Manage RBAC Permissions","url":"\u002Fdocs\u002Fauthorization\u002Fmanage-permissions","isActiveUrl":false},{"title":"Enable RBAC for APIs","url":"\u002Fdocs\u002Fauthorization\u002Frbac\u002Fenable-role-based-access-control-for-apis","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Configuration","url":"\u002Fdocs\u002Fconfig","children":[{"title":"Tenant Settings","url":"\u002Fdocs\u002Fconfig\u002Ftenant-settings","children":[{"title":"Dashboard Access","url":"\u002Fdocs\u002Fdashboard-access","isActiveUrl":false},{"title":"Signing Keys","url":"\u002Fdocs\u002Fconfig\u002Ftenant-settings\u002Fsigning-keys","children":[{"title":"Rotate Signing Keys","url":"\u002Fdocs\u002Fconfig\u002Ftenant-settings\u002Fsigning-keys\u002Frotate-signing-keys","hidden":true,"isActiveUrl":false},{"title":"Revoke Signing Keys","url":"\u002Fdocs\u002Fconfig\u002Ftenant-settings\u002Fsigning-keys\u002Frevoke-signing-keys","hidden":true,"isActiveUrl":false},{"title":"View Signing Certificates","url":"\u002Fdocs\u002Fconfig\u002Ftenant-settings\u002Fsigning-keys\u002Fview-signing-certificates","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Configure Session Lifetime Settings","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Fconfigure-session-lifetime-settings","isActiveUrl":false},{"title":"Enable SSO for Legacy Tenants","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Fenable-sso-for-legacy-tenants","hidden":true,"isActiveUrl":false},{"title":"Configure Device User Code Settings","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Fconfigure-device-user-code-settings","isActiveUrl":false},{"title":"Recommended Settings","url":"\u002Fdocs\u002Fbest-practices\u002Ftenant-settings-best-practices","isActiveUrl":false},{"title":"Dynamic Client Registration","url":"\u002Fdocs\u002Fapplications\u002Fdynamic-client-registration","isActiveUrl":false},{"title":"Create Multiple Tenants","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Fcreate-multiple-tenants","hidden":true,"isActiveUrl":false},{"title":"Child Tenant Request Process","url":"\u002Fdocs\u002Fdev-lifecycle\u002Fchild-tenants","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Application Settings","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Fapplication-settings","children":[{"title":"Enable SSO for Legacy Applications","url":"\u002Fdocs\u002Fsso\u002Fenable-sso-for-applications","hidden":true,"isActiveUrl":false},{"title":"Update Grant Types","url":"\u002Fdocs\u002Fapplications\u002Fupdate-grant-types","isActiveUrl":false},{"title":"Android App Links","url":"\u002Fdocs\u002Fapplications\u002Fenable-android-app-links-support","isActiveUrl":false},{"title":"Apple Universal Links","url":"\u002Fdocs\u002Fenable-universal-links-support-in-apple-xcode","isActiveUrl":false},{"title":"Remove Applications","url":"\u002Fdocs\u002Fapplications\u002Fremove-applications","isActiveUrl":false},{"title":"View Application Type","url":"\u002Fdocs\u002Fapplications\u002Fview-application-type","isActiveUrl":false},{"title":"Rotate Client Secret","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Frotate-client-secret","isActiveUrl":false},{"title":"Wildcards for Subdomains","url":"\u002Fdocs\u002Fapplications\u002Fwildcards-for-subdomains","isActiveUrl":false},{"title":"Recommended Settings","url":"\u002Fdocs\u002Fbest-practices\u002Fapp-settings-best-practices","isActiveUrl":false}],"isActiveUrl":false},{"title":"API Configuration","url":"\u002Fdocs\u002Fget-started\u002Fdashboard\u002Fapi-settings","children":[{"title":"Signing Algorithms","url":"\u002Fdocs\u002Ftokens\u002Fsigning-algorithms","isActiveUrl":false},{"title":"Represent Multiple APIs with a Single API","url":"\u002Fdocs\u002Fauthorization\u002Frepresent-multiple-apis-using-a-single-logical-api","isActiveUrl":false}],"isActiveUrl":false},{"title":"Single Sign-On","url":"\u002Fdocs\u002Fsso","children":[{"title":"Inbound SSO","url":"\u002Fdocs\u002Fsso\u002Finbound-single-sign-on","isActiveUrl":false},{"title":"Outbound SSO","url":"\u002Fdocs\u002Fsso\u002Foutbound-single-sign-on","isActiveUrl":false},{"title":"Relevant API Endpoints","url":"\u002Fdocs\u002Fsso\u002Fapi-endpoints-for-single-sign-on","isActiveUrl":false},{"title":"Single Sign-On with Auth0","url":"\u002Fdocs\u002Fsso\u002Fcurrent\u002Fsso-auth0","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Attack Protection","url":"\u002Fdocs\u002Fattack-protection","children":[{"title":"Bot Detection","url":"\u002Fdocs\u002Fattack-protection\u002Fbot-detection","children":[{"title":"Custom Login Pages","url":"\u002Fdocs\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-custom-login-pages","hidden":true,"isActiveUrl":false},{"title":"Native Applications","url":"\u002Fdocs\u002Fattack-protection\u002Fbot-detection\u002Fbot-detection-native-apps","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Breached Passwords","url":"\u002Fdocs\u002Fattack-protection\u002Fbreached-password-detection","isActiveUrl":false},{"title":"Brute Force Attacks","url":"\u002Fdocs\u002Fattack-protection\u002Fbrute-force-protection","isActiveUrl":false},{"title":"Suspicious IP Throttling","url":"\u002Fdocs\u002Fattack-protection\u002Fsuspicious-ip-throttling","isActiveUrl":false},{"title":"Customize Blocked Account Emails","url":"\u002Fdocs\u002Fattack-protection\u002Fcustomize-blocked-account-emails","isActiveUrl":false},{"title":"View Events","url":"\u002Fdocs\u002Fattack-protection\u002Fview-attack-protection-events","isActiveUrl":false}],"isActiveUrl":false},{"title":"SAML Configuration Options","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol","children":[{"title":"SAML SSO Integrations","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fsaml-configuration-options","isActiveUrl":false},{"title":"Auth0 as SP","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fconfigure-auth0-saml-service-provider","isActiveUrl":false},{"title":"Auth0 as IdP","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fconfigure-auth0-as-saml-identity-provider","isActiveUrl":false},{"title":"Test SAML SSO","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fconfigure-auth0-as-service-and-identity-provider","isActiveUrl":false},{"title":"IdP Settings","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fsaml-identity-provider-configuration-settings","isActiveUrl":false},{"title":"Special Scenarios","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fspecial-saml-configuration-scenarios","children":[{"title":"Identity Provider-Initiated SSO","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocols\u002Fsaml-configuration-options\u002Fidentity-provider-initiated-single-sign-on","hidden":true,"isActiveUrl":false},{"title":"Sign and Encrypt SAML Requests","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocols\u002Fsaml-configuration-options\u002Fsign-and-encrypt-saml-requests","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Customize SAML Assertions","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fcustomize-saml-assertions","isActiveUrl":false},{"title":"Deprovision Users","url":"\u002Fdocs\u002Fprotocols\u002Fsaml-protocol\u002Fdeprovision-users-in-saml-integrations","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Manage Users","url":"\u002Fdocs\u002Fusers","children":[{"title":"User Profiles","url":"\u002Fdocs\u002Fusers\u002Fuser-profiles","children":[{"title":"Normalized User Profile","url":"\u002Fdocs\u002Fusers\u002Fnormalized-user-profiles","isActiveUrl":false},{"title":"Update Profiles Using Your Database","url":"\u002Fdocs\u002Fusers\u002Fupdate-user-profiles-using-your-database","isActiveUrl":false},{"title":"Progressive Profiling","url":"\u002Fdocs\u002Fusers\u002Fprogressive-profiling","isActiveUrl":false},{"title":"User Profile Structure","url":"\u002Fdocs\u002Fusers\u002Fuser-profile-structure","isActiveUrl":false}],"isActiveUrl":false},{"title":"Metadata","url":"\u002Fdocs\u002Fusers\u002Fmetadata","children":[{"title":"Manage User Metadata","url":"\u002Fdocs\u002Fusers\u002Fmanage-user-metadata","isActiveUrl":false},{"title":"Read Metadata","url":"\u002Fdocs\u002Fusers\u002Fread-metadata","isActiveUrl":false},{"title":"Set Metadata Properties on Creation","url":"\u002Fdocs\u002Fusers\u002Fset-metadata-properties-on-creation","isActiveUrl":false},{"title":"Update Metadata with the Management API","url":"\u002Fdocs\u002Fusers\u002Fupdate-metadata-with-the-management-api","isActiveUrl":false},{"title":"Metadata Best Practices","url":"\u002Fdocs\u002Fbest-practices\u002Fmetadata-best-practices","isActiveUrl":false}],"isActiveUrl":false},{"title":"Sessions","url":"\u002Fdocs\u002Fsessions","children":[{"title":"Session Layers","url":"\u002Fdocs\u002Fsessions\u002Fsession-layers","isActiveUrl":false},{"title":"Session Lifetime Limits","url":"\u002Fdocs\u002Fsessions\u002Fsession-lifetime-limits","isActiveUrl":false},{"title":"Non-Persistent Sessions","url":"\u002Fdocs\u002Fsessions\u002Fnon-persistent-sessions","isActiveUrl":false},{"title":"Manage Multi-Site Sessions with Auth0 SDK","url":"\u002Fdocs\u002Fsessions\u002Fmanage-multi-site-sessions","isActiveUrl":false},{"title":"Authentication API Cookies","url":"\u002Fdocs\u002Fsessions\u002Fcookies\u002Fauthentication-api-cookies","isActiveUrl":false}],"isActiveUrl":false},{"title":"Deny Access to an API Using Rules","url":"\u002Fdocs\u002Fusers\u002Fdeny-api-access","isActiveUrl":false},{"title":"Using the Dashboard","url":"\u002Fdocs\u002Fusers\u002Fmanage-users-using-the-dashboard","isActiveUrl":false},{"title":"Using the API","url":"\u002Fdocs\u002Fusers\u002Fmanage-users-using-the-management-api","isActiveUrl":false},{"title":"Verify Emails","url":"\u002Fdocs\u002Fusers\u002Fverify-emails","isActiveUrl":false},{"title":"Email Verified Usage","url":"\u002Fdocs\u002Fusers\u002Fverified-email-usage","isActiveUrl":false},{"title":"Link User Accounts","url":"\u002Fdocs\u002Fusers\u002Fuser-account-linking","children":[{"title":"Link User Accounts","url":"\u002Fdocs\u002Fusers\u002Flink-user-accounts","isActiveUrl":false},{"title":"Unlink User Accounts","url":"\u002Fdocs\u002Fusers\u002Funlink-user-accounts","isActiveUrl":false},{"title":"Client-Side SPA Scenario","url":"\u002Fdocs\u002Fusers\u002Fuser-initiated-account-linking-client-side-implementation","isActiveUrl":false},{"title":"Server-Side Regular Web App Scenario","url":"\u002Fdocs\u002Fusers\u002Fsuggested-account-linking-server-side-implementation","isActiveUrl":false}],"isActiveUrl":false},{"title":"Import & Export Users","url":"\u002Fdocs\u002Fusers\u002Fimport-and-export-users","children":[{"title":"File Schema","url":"\u002Fdocs\u002Fusers\u002Fbulk-user-import-database-schema-and-examples","isActiveUrl":false},{"title":"Automatic","url":"\u002Fdocs\u002Fusers\u002Fconfigure-automatic-migration-from-your-database","isActiveUrl":false},{"title":"Bulk Import","url":"\u002Fdocs\u002Fusers\u002Fbulk-user-imports","isActiveUrl":false},{"title":"Bulk Export","url":"\u002Fdocs\u002Fusers\u002Fbulk-user-exports","isActiveUrl":false},{"title":"User Import\u002FExport Extension","url":"\u002Fdocs\u002Fextensions\u002Fuser-import-export-extension","isActiveUrl":false},{"title":"Examples","url":"\u002Fdocs\u002Fusers\u002Fuser-migration-scenarios","isActiveUrl":false}],"isActiveUrl":false},{"title":"User Search","url":"\u002Fdocs\u002Fusers\u002Fuser-search","children":[{"title":"Get Users","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fretrieve-users-with-get-users-endpoint","isActiveUrl":false},{"title":"Get Users by Email","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fretrieve-users-with-get-users-by-email-endpoint","isActiveUrl":false},{"title":"Get Users by ID","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fretrieve-users-with-get-users-by-id-endpoint","isActiveUrl":false},{"title":"Sort Search Results","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fsort-search-results","isActiveUrl":false},{"title":"View Search Results","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fview-search-results-by-page","isActiveUrl":false},{"title":"Query Syntax","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fuser-search-query-syntax","isActiveUrl":false},{"title":"Best Practices","url":"\u002Fdocs\u002Fbest-practices\u002Fuser-search-best-practices","isActiveUrl":false},{"title":"Migrate from Search v2 to V3","url":"\u002Fdocs\u002Fusers\u002Fsearch\u002Fv3\u002Fmigrate-search-v2-v3","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"User Search","url":"\u002Fdocs\u002Fusers\u002Fuser-search","hidden":true,"children":[{"title":"Query Syntax","url":"\u002Fdocs\u002Fusers\u002Fuser-search\u002Fuser-search-query-syntax","hidden":true,"isActiveUrl":false},{"title":"Best Practices","url":"\u002Fdocs\u002Fbest-practices\u002Fuser-search-best-practices","hidden":true,"isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Manage Dashboard Access","url":"\u002Fdocs\u002Fdashboard-access","children":[{"title":"Dashboard Access by Role","url":"\u002Fdocs\u002Fdashboard-access\u002Ffeature-access-by-role","isActiveUrl":false},{"title":"Add Tenant Members","url":"\u002Fdocs\u002Fdashboard-access\u002Fadd-dashboard-users","isActiveUrl":false},{"title":"Edit Tenant Members","url":"\u002Fdocs\u002Fdashboard-access\u002Fedit-dashboard-users","isActiveUrl":false},{"title":"Remove Tenant Members","url":"\u002Fdocs\u002Fdashboard-access\u002Fremove-dashboard-users","isActiveUrl":false},{"title":"Manage Access with MFA","url":"\u002Fdocs\u002Fdashboard-access\u002Fadd-change-remove-mfa","isActiveUrl":false},{"title":"Update Dashboard User Email","url":"\u002Fdocs\u002Fdashboard-access\u002Fupdate-dashboard-user-email","isActiveUrl":false}],"isActiveUrl":false},{"title":"Brand & Customize","url":"\u002Fdocs\u002Fbrand-and-customize","children":[{"title":"Universal Login Pages","url":"\u002Fdocs\u002Funiversal-login\u002Fnew-experience\u002Funiversal-login-page-templates","isActiveUrl":false},{"title":"Custom Domains","url":"\u002Fdocs\u002Fcustom-domains","children":[{"title":"Auth0-Managed Certificates","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-custom-domains-with-auth0-managed-certificates","isActiveUrl":false},{"title":"Self-Managed Certificates","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-custom-domains-with-self-managed-certificates","children":[{"title":"Google Cloud Platform Reverse Proxy","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-custom-domains-with-self-managed-certificates\u002Fconfigure-gcp-as-reverse-proxy","isActiveUrl":false},{"title":"Cloudflare Reverse Proxy","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-custom-domains-with-self-managed-certificates\u002Fconfigure-cloudflare-for-use-as-reverse-proxy","isActiveUrl":false},{"title":"Cloudfront Reverse Proxy","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-custom-domains-with-self-managed-certificates\u002Fconfigure-aws-cloudfront-for-use-as-reverse-proxy","isActiveUrl":false},{"title":"Azure CDN Reverse Proxy","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-custom-domains-with-self-managed-certificates\u002Fconfigure-azure-cdn-for-use-as-reverse-proxy","isActiveUrl":false},{"title":"TLS (SSL) Versions and Ciphers","url":"\u002Fdocs\u002Fcustom-domains\u002Ftls-ssl","isActiveUrl":false}],"isActiveUrl":false},{"title":"Configure Auth0 Features","url":"\u002Fdocs\u002Fcustom-domains\u002Fconfigure-features-to-use-custom-domains","isActiveUrl":false},{"title":"Troubleshoot Custom Domains","url":"\u002Fdocs\u002Fcustom-domains\u002Ftroubleshoot-custom-domains","isActiveUrl":false}],"isActiveUrl":false},{"title":"Email","url":"\u002Fdocs\u002Femail","children":[{"title":"Email Handling","url":"\u002Fdocs\u002Femail\u002Fmanage-email-flow","isActiveUrl":false},{"title":"Email Templates","url":"\u002Fdocs\u002Femail\u002Fcustomize-email-templates","children":[{"title":"Liquid Syntax","url":"\u002Fdocs\u002Femail\u002Fcustomize-email-templates\u002Fuse-liquid-syntax-in-email-templates","isActiveUrl":false},{"title":"Template Descriptions","url":"\u002Fdocs\u002Femail\u002Fcustomize-email-templates\u002Femail-template-descriptions","isActiveUrl":false}],"isActiveUrl":false},{"title":"External SMTP Email Providers","url":"\u002Fdocs\u002Femail\u002Fconfigure-external-smtp-email-providers","isActiveUrl":false},{"title":"Custom SMTP Email Provider","url":"\u002Fdocs\u002Femail\u002Fconfigure-custom-external-smtp-email-provider","isActiveUrl":false},{"title":"Test SMTP Email Server","url":"\u002Fdocs\u002Femail\u002Fconfigure-test-smtp-email-servers","isActiveUrl":false},{"title":"Send Email Invitations for Application Signup","url":"\u002Fdocs\u002Femail\u002Fsend-email-invitations-for-application-signup","isActiveUrl":false}],"isActiveUrl":false},{"title":"Consent Prompt","url":"\u002Fdocs\u002Fscopes\u002Fcustomize-consent-prompts","isActiveUrl":false},{"title":"Internationalization and Localization","url":"\u002Fdocs\u002Fi18n","children":[{"title":"Universal Login Internationalization","url":"\u002Fdocs\u002Fi18n\u002Funiversal-login-internationalization","hidden":true,"isActiveUrl":false},{"title":"Customize Translation of Lock Password Options","url":"\u002Fdocs\u002Fi18n\u002Fpassword-options-translation","hidden":true,"isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Actions","url":"\u002Fdocs\u002Factions","children":[{"title":"Write Your First Action","url":"\u002Fdocs\u002Factions\u002Fwrite-your-first-action","isActiveUrl":false},{"title":"Triggers","url":"\u002Fdocs\u002Factions\u002Ftriggers","children":[{"title":"post-login","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fpost-login","children":[{"title":"Manage user metadata in post-login","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fpost-login\u002Fmanage-user-metadata","hidden":true,"isActiveUrl":false},{"title":"Redirect with Actions","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fpost-login\u002Fredirect-with-actions","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"credentials-exchange","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fcredentials-exchange","isActiveUrl":false},{"title":"pre-user-registration","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fpre-user-registration","isActiveUrl":false},{"title":"post-user-registration","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fpost-user-registration","isActiveUrl":false},{"title":"post-change-password","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fpost-change-password","isActiveUrl":false},{"title":"send-phone-message","url":"\u002Fdocs\u002Factions\u002Ftriggers\u002Fsend-phone-message","isActiveUrl":false}],"isActiveUrl":false},{"title":"Limitations","url":"\u002Fdocs\u002Factions\u002Flimitations","isActiveUrl":false},{"title":"Manage Action Versions","url":"\u002Fdocs\u002Factions\u002Fmanage-action-versions","isActiveUrl":false},{"title":"Programming Model Changes","url":"\u002Fdocs\u002Factions\u002Fprogramming-model-changes","isActiveUrl":false}],"isActiveUrl":false},{"title":"Rules","url":"\u002Fdocs\u002Frules","children":[{"title":"Create a New Rule","url":"\u002Fdocs\u002Frules\u002Fcreate-rules","isActiveUrl":false},{"title":"Rules Use Cases","url":"\u002Fdocs\u002Frules\u002Fuse-cases","isActiveUrl":false},{"title":"Store Configuration for Rules","url":"\u002Fdocs\u002Frules\u002Fconfiguration","isActiveUrl":false},{"title":"Cache Expensive Resources","url":"\u002Fdocs\u002Frules\u002Fcache-resources","isActiveUrl":false},{"title":"Debug Rules","url":"\u002Fdocs\u002Frules\u002Fdebug-rules","isActiveUrl":false},{"title":"Management API in Rules","url":"\u002Fdocs\u002Frules\u002Fuse-management-api","isActiveUrl":false},{"title":"Metadata in Rules","url":"\u002Fdocs\u002Frules\u002Fmetadata","isActiveUrl":false},{"title":"Redirect Users from Rules","url":"\u002Fdocs\u002Frules\u002Fredirect-users","isActiveUrl":false},{"title":"User Object","url":"\u002Fdocs\u002Frules\u002Fuser-object-in-rules","isActiveUrl":false},{"title":"Context Object","url":"\u002Fdocs\u002Frules\u002Fcontext-object","isActiveUrl":false}],"isActiveUrl":false},{"title":"Hooks","url":"\u002Fdocs\u002Fhooks","children":[{"title":"Create Hooks","url":"\u002Fdocs\u002Fhooks\u002Fcreate-hooks","isActiveUrl":false},{"title":"Update Hooks","url":"\u002Fdocs\u002Fhooks\u002Fupdate-hooks","isActiveUrl":false},{"title":"Delete Hooks","url":"\u002Fdocs\u002Fhooks\u002Fdelete-hooks","isActiveUrl":false},{"title":"Enable\u002FDisable Hooks","url":"\u002Fdocs\u002Fhooks\u002Fenable-disable-hooks","isActiveUrl":false},{"title":"View Hooks","url":"\u002Fdocs\u002Fhooks\u002Fview-hooks","isActiveUrl":false},{"title":"View Logs","url":"\u002Fdocs\u002Fhooks\u002Fview-logs-for-hooks","isActiveUrl":false},{"title":"Extensibility Points","url":"\u002Fdocs\u002Fhooks\u002Fextensibility-points","children":[{"title":"Client Credentials Exchange","url":"\u002Fdocs\u002Fhooks\u002Fextensibility-points\u002Fclient-credentials-exchange","isActiveUrl":false},{"title":"Post-Change Password","url":"\u002Fdocs\u002Fhooks\u002Fextensibility-points\u002Fpost-change-password","isActiveUrl":false},{"title":"Post-User Registration","url":"\u002Fdocs\u002Fhooks\u002Fextensibility-points\u002Fpost-user-registration","isActiveUrl":false},{"title":"Pre-User Registration","url":"\u002Fdocs\u002Fhooks\u002Fextensibility-points\u002Fpre-user-registration","isActiveUrl":false},{"title":"Send Phone Message","url":"\u002Fdocs\u002Fhooks\u002Fextensibility-points\u002Fsend-phone-message","isActiveUrl":false}],"isActiveUrl":false},{"title":"Hook Secrets","url":"\u002Fdocs\u002Fhooks\u002Fhook-secrets","children":[{"title":"Create Secrets","url":"\u002Fdocs\u002Fhooks\u002Fhook-secrets\u002Fcreate-hook-secrets","isActiveUrl":false},{"title":"Update Secrets","url":"\u002Fdocs\u002Fhooks\u002Fhook-secrets\u002Fupdate-hook-secrets","isActiveUrl":false},{"title":"Delete Secrets","url":"\u002Fdocs\u002Fhooks\u002Fhook-secrets\u002Fdelete-hook-secrets","isActiveUrl":false},{"title":"View Secrets","url":"\u002Fdocs\u002Fhooks\u002Fhook-secrets\u002Fview-hook-secrets","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Extensions","url":"\u002Fdocs\u002Fextensions","children":[{"title":"Authorization Extension","url":"\u002Fdocs\u002Fextensions\u002Fauthorization-extension","isActiveUrl":false},{"title":"Delegated Administration","url":"\u002Fdocs\u002Fextensions\u002Fdelegated-administration-extension","isActiveUrl":false},{"title":"Custom Social Connections","url":"\u002Fdocs\u002Fextensions\u002Fcustom-social-connections","hidden":true,"isActiveUrl":false},{"title":"SSO Dashboard Extension","url":"\u002Fdocs\u002Fextensions\u002Fsingle-sign-on-dashboard-extension","isActiveUrl":false},{"title":"Authentication API Webhooks","url":"\u002Fdocs\u002Fextensions\u002Fauth0-authentication-api-webhooks","isActiveUrl":false},{"title":"Management API Webhooks","url":"\u002Fdocs\u002Fextensions\u002Fauth0-management-api-webhooks","isActiveUrl":false},{"title":"Authentication API Debugger","url":"\u002Fdocs\u002Fextensions\u002Fauthentication-api-debugger-extension","isActiveUrl":false},{"title":"AD\u002FLDAP Connector Health Monitor","url":"\u002Fdocs\u002Fextensions\u002Fad-ldap-connector-health-monitor","isActiveUrl":false},{"title":"Real-time Webtask Logs","url":"\u002Fdocs\u002Fextensions\u002Freal-time-webtask-logs","isActiveUrl":false},{"title":"Auth0 Logs to Application Insights","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-application-insights","isActiveUrl":false},{"title":"Auth0 Logs to AWS Cloudwatch","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-cloudwatch","isActiveUrl":false},{"title":"Auth0 Logs to Azure Blob Storage","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-azure-blob-storage","isActiveUrl":false},{"title":"Auth0 Logs to Logentries","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-logentries","isActiveUrl":false},{"title":"Auth0 Logs to Loggly","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-loggly","isActiveUrl":false},{"title":"Auth0 Logs to Logstash","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-logstash","isActiveUrl":false},{"title":"Auth0 Logs to Mixpanel","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-mixpanel","isActiveUrl":false},{"title":"Auth0 Logs to Papertrail","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-papertrail","isActiveUrl":false},{"title":"Auth0 Logs to Sumo Logic","url":"\u002Fdocs\u002Fextensions\u002Fauth0-logs-to-sumo-logic","isActiveUrl":false},{"title":"Auth0 Logs to Splunk","url":"\u002Fdocs\u002Fextensions\u002Fexport-logs-to-splunk","isActiveUrl":false},{"title":"Add-ons","url":"\u002Fdocs\u002Faddons","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Integrations","url":"\u002Fdocs\u002Fintegrations","children":[{"title":"Amazon Web Services (AWS)","url":"\u002Fdocs\u002Fintegrations\u002Faws","isActiveUrl":false},{"title":"AWS API Gateway","url":"\u002Fdocs\u002Fintegrations\u002Faws-api-gateway-custom-authorizers","isActiveUrl":false},{"title":"Azure API Management","url":"\u002Fdocs\u002Fintegrations\u002Fazure-api-management","isActiveUrl":false},{"title":"Google Cloud Endpoints","url":"\u002Fdocs\u002Fintegrations\u002Fgoogle-cloud-endpoints","isActiveUrl":false},{"title":"Single Sign-On","url":"\u002Fdocs\u002Fintegrations\u002Fsso","children":[{"title":"Active Directory RMS","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fad-rms","isActiveUrl":false},{"title":"Adobe Sign","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fadobe-sign","isActiveUrl":false},{"title":"Box","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fbox","isActiveUrl":false},{"title":"Cisco WebEx","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fcisco-webex","isActiveUrl":false},{"title":"CloudBees","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fcloudbees","isActiveUrl":false},{"title":"Concur","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fconcur","isActiveUrl":false},{"title":"Datadog","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fdatadog","isActiveUrl":false},{"title":"Dropbox","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fdropbox","isActiveUrl":false},{"title":"Dynamics CRM","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fdynamics-crm","isActiveUrl":false},{"title":"Egencia","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fegencia","isActiveUrl":false},{"title":"Egnyte","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fegnyte","isActiveUrl":false},{"title":"Eloqua","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Feloqua","isActiveUrl":false},{"title":"Freshdesk","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Ffreshdesk","isActiveUrl":false},{"title":"G Suite","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fg-suite","isActiveUrl":false},{"title":"GitHub Enterprise Cloud","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fgithub-enterprise-cloud","isActiveUrl":false},{"title":"GitHub Enterprise Server","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fgithub-enterprise-server","isActiveUrl":false},{"title":"Heroku","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fheroku","isActiveUrl":false},{"title":"Hosted Graphite","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fhosted-graphite","isActiveUrl":false},{"title":"Litmos","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Flitmos","isActiveUrl":false},{"title":"New Relic","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fnew-relic","isActiveUrl":false},{"title":"Office 365","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Foffice-365","isActiveUrl":false},{"title":"Pluralsight","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fpluralsight","isActiveUrl":false},{"title":"Salesforce","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fsalesforce","isActiveUrl":false},{"title":"Sentry","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fsentry","isActiveUrl":false},{"title":"Slack","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fslack","isActiveUrl":false},{"title":"SpringCM","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fspringcm","isActiveUrl":false},{"title":"Sprout Video","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fsprout-video","isActiveUrl":false},{"title":"Tableau Online","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Ftableau-online","isActiveUrl":false},{"title":"Tableau Server","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Ftableau-server","isActiveUrl":false},{"title":"Workday","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fworkday","isActiveUrl":false},{"title":"Workpath","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fworkpath","isActiveUrl":false},{"title":"Zendesk","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fzendesk","isActiveUrl":false},{"title":"Zoom","url":"\u002Fdocs\u002Fintegrations\u002Fsso\u002Fzoom","isActiveUrl":false}],"isActiveUrl":false},{"title":"Marketing","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing","children":[{"title":"Adobe Campaign","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fadobe-campaign","isActiveUrl":false},{"title":"Alterian","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Falterian","isActiveUrl":false},{"title":"Constant Contact","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fconstant-contact","isActiveUrl":false},{"title":"Oracle Eloqua","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Feloqua","isActiveUrl":false},{"title":"MailChimp","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fmailchimp","isActiveUrl":false},{"title":"Marketo","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fmarketo","isActiveUrl":false},{"title":"Sailthru","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fsailthru","isActiveUrl":false},{"title":"Salesforce","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fexport-user-data-salesforce","isActiveUrl":false},{"title":"Salesforce Marketing Cloud","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fsalesforce-marketing-cloud","isActiveUrl":false},{"title":"Watson Campaign Automation","url":"\u002Fdocs\u002Fintegrations\u002Fmarketing\u002Fwatson-campaign-automation","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Logs","url":"\u002Fdocs\u002Flogs","children":[{"title":"Log Streams","url":"\u002Fdocs\u002Flogs\u002Fstreams","children":[{"title":"HTTP Event Streams","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fstream-http-event-logs","children":[{"title":"HTTP Stream to Slack Example","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fstream-log-events-to-slack","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"AWS EventBridge","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Faws-eventbridge","isActiveUrl":false},{"title":"Azure Event Grid","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fstream-logs-to-azure-event-grid","isActiveUrl":false},{"title":"Datadog","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fstream-logs-to-datadog","children":[{"title":"Datadog Dashboard Templates","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fdatadog-dashboard-templates","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Splunk","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fstream-logs-to-splunk","children":[{"title":"Auth0 App for Splunk","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fsplunk-dashboard","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Sumo Logic","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fstream-logs-to-sumo-logic","children":[{"title":"Auth0 App for Sumo Logic","url":"\u002Fdocs\u002Flogs\u002Fstreams\u002Fsumo-logic-dashboard","hidden":true,"isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Log Data Retention","url":"\u002Fdocs\u002Flogs\u002Flog-data-retention","isActiveUrl":false},{"title":"View Log Data in the Dashboard","url":"\u002Fdocs\u002Flogs\u002Fview-log-events-in-the-dashboard","isActiveUrl":false},{"title":"Log Event Filters","url":"\u002Fdocs\u002Flogs\u002Flog-event-filters","isActiveUrl":false},{"title":"Retrieve Logs Using the Management API","url":"\u002Fdocs\u002Flogs\u002Fretrieve-log-events-using-mgmt-api","isActiveUrl":false},{"title":"Log Event Type Codes","url":"\u002Fdocs\u002Flogs\u002Flog-event-type-codes","isActiveUrl":false},{"title":"Log Search Query Syntax","url":"\u002Fdocs\u002Flogs\u002Flog-search-query-syntax","isActiveUrl":false},{"title":"Migrate from Logs Search v2 to v3","url":"\u002Fdocs\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations\u002Fmigrate-to-tenant-log-search-v3","isActiveUrl":false}],"isActiveUrl":false},{"title":"Monitor","url":"\u002Fdocs\u002Fmonitor-auth0","children":[{"title":"Check Auth0 Status","url":"\u002Fdocs\u002Fmonitor-auth0\u002Fcheck-auth0-status","isActiveUrl":false},{"title":"Check External Services Status","url":"\u002Fdocs\u002Fmonitor-auth0\u002Fcheck-external-services-status","isActiveUrl":false},{"title":"Monitor Applications","url":"\u002Fdocs\u002Fmonitor-auth0\u002Fmonitor-applications","isActiveUrl":false},{"title":"Monitor Using SCOM","url":"\u002Fdocs\u002Fmonitor-auth0\u002Fmonitor-using-scom","isActiveUrl":false}],"isActiveUrl":false},{"title":"Troubleshoot","url":"\u002Fdocs\u002Ftroubleshoot","children":[{"title":"Basic Issues","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic","children":[{"title":"Verify Platform","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Fverify-platform","isActiveUrl":false},{"title":"Verify Connections","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Fverify-connections","isActiveUrl":false},{"title":"Verify Domain","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Fverify-domain","isActiveUrl":false},{"title":"Verify Rules","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Fverify-rules","isActiveUrl":false},{"title":"Check Error Messages","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Fcheck-error-messages","isActiveUrl":false},{"title":"Invalid Token Errors","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Finvalid-token-errors","isActiveUrl":false},{"title":"Deprecation Errors","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-basic\u002Fcheck-deprecation-errors","isActiveUrl":false}],"isActiveUrl":false},{"title":"Authentication Issues","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication","children":[{"title":"API Calls","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Fcheck-api-calls","isActiveUrl":false},{"title":"Login and Logout Issues","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Fcheck-login-and-logout-issues","isActiveUrl":false},{"title":"User Profiles","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Fcheck-user-profiles","isActiveUrl":false},{"title":"RBAC and Authorization","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Ftroubleshoot-rbac-authorization","isActiveUrl":false},{"title":"MFA Issues","url":"\u002Fdocs\u002Fmfa\u002Ftroubleshoot-mfa-issues","isActiveUrl":false},{"title":"SAML Configurations","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Ftroubleshoot-saml-configurations","isActiveUrl":false},{"title":"SAML Errors","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Fsaml-errors","isActiveUrl":false},{"title":"Self Change Password Errors","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-authentication\u002Fself-change-password-errors","isActiveUrl":false},{"title":"Authorization Extension Issues","url":"\u002Fdocs\u002Fextensions\u002Fauthorization-extension\u002Ftroubleshoot-authorization-extension","isActiveUrl":false}],"isActiveUrl":false},{"title":"Integration and Extensibility Issues","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftroubleshoot-integration-and-extensibility","children":[{"title":"Test Partner Connections","url":"\u002Fdocs\u002Fconnections\u002Fhow-to-test-partner-connection","isActiveUrl":false},{"title":"Sign in With Apple","url":"\u002Fdocs\u002Fconnections\u002Fapple-siwa\u002Ftroubleshooting","isActiveUrl":false},{"title":"Custom Databases","url":"\u002Fdocs\u002Fconnections\u002Fdatabase\u002Fcustom-db\u002Ferror-handling","isActiveUrl":false},{"title":"Active Directory\u002FLDAP Connector","url":"\u002Fdocs\u002Fextensions\u002Fad-ldap-connector","isActiveUrl":false},{"title":"Extensions","url":"\u002Fdocs\u002Fextensions\u002Ftroubleshoot-extensions","isActiveUrl":false},{"title":"Auth0 PHP SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-php\u002Ftroubleshoot-auth0-php-library","isActiveUrl":false}],"isActiveUrl":false},{"title":"Tools","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftools","children":[{"title":"Generate and Analyze HAR Files","url":"\u002Fdocs\u002Ftroubleshoot\u002Ftools\u002Fgenerate-and-analyze-har-files","isActiveUrl":false},{"title":"Authentication API Debugger","url":"\u002Fdocs\u002Fextensions\u002Fauthentication-api-debugger-extension","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Product Lifecycle","url":"\u002Fdocs\u002Fproduct-lifecycle","children":[{"title":"Product Release Stages","url":"\u002Fdocs\u002Fproduct-lifecycle\u002Fproduct-release-stages","isActiveUrl":false},{"title":"Deprecations and Migrations","url":"\u002Fdocs\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations","isActiveUrl":false},{"title":"Migration Process","url":"\u002Fdocs\u002Fproduct-lifecycle\u002Fmigration-process","isActiveUrl":false},{"title":"Past Migrations","url":"\u002Fdocs\u002Fproduct-lifecycle\u002Fdeprecations-and-migrations\u002Fpast-migrations","isActiveUrl":false}],"isActiveUrl":false},{"title":"Security","url":"\u002Fdocs\u002Fsecurity","children":[{"title":"General Security Tips","url":"\u002Fdocs\u002Fsecurity\u002Ftips","isActiveUrl":false},{"title":"Security Bulletins","url":"\u002Fdocs\u002Fsecurity\u002Fsecurity-bulletins","children":[{"title":"CVE 2018-6874","url":"\u002Fdocs\u002Fsecurity\u002Fsecurity-bulletins\u002Fcve-2018-6874","hidden":true,"isActiveUrl":false},{"title":"CVE 2018-6873","url":"\u002Fdocs\u002Fsecurity\u002Fsecurity-bulletins\u002Fcve-2018-6873","hidden":true,"isActiveUrl":false},{"title":"CVE 2018-7307","url":"\u002Fdocs\u002Fsecurity\u002Fsecurity-bulletins\u002Fcve-2018-7307","hidden":true,"isActiveUrl":false},{"title":"CVE 2017-16897","url":"\u002Fdocs\u002Fsecurity\u002Fsecurity-bulletins\u002Fcve-2017-16897","hidden":true,"isActiveUrl":false},{"title":"CVE 2017-17068","url":"\u002Fdocs\u002Fsecurity\u002Fsecurity-bulletins\u002Fcve-2017-17068","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Data Security","url":"\u002Fdocs\u002Fsecurity\u002Fdata-security","children":[{"title":"Add User Attributes to Deny List","url":"\u002Fdocs\u002Fsecurity\u002Fdata-security\u002Fdenylist","isActiveUrl":false},{"title":"Auth0 IP Addresses for Allow Lists","url":"\u002Fdocs\u002Fsecurity\u002Fdata-security\u002Fallowlist","isActiveUrl":false},{"title":"User Data Storage","url":"\u002Fdocs\u002Fsecurity\u002Fdata-security\u002Fuser-data-storage","isActiveUrl":false},{"title":"Token Storage","url":"\u002Fdocs\u002Fsecurity\u002Fdata-security\u002Ftoken-storage","isActiveUrl":false}],"isActiveUrl":false},{"title":"Prevent Common Threats","url":"\u002Fdocs\u002Fsecurity\u002Fprevent-threats","isActiveUrl":false},{"title":"Tokens","url":"\u002Fdocs\u002Ftokens","children":[{"title":"ID Tokens","url":"\u002Fdocs\u002Ftokens\u002Fid-tokens","children":[{"title":"Get ID Tokens","url":"\u002Fdocs\u002Ftokens\u002Fid-tokens\u002Fget-id-tokens","hidden":true,"isActiveUrl":false},{"title":"Validate ID Tokens","url":"\u002Fdocs\u002Ftokens\u002Fid-tokens\u002Fvalidate-id-tokens","hidden":true,"isActiveUrl":false},{"title":"ID Token Structure","url":"\u002Fdocs\u002Ftokens\u002Fid-tokens\u002Fid-token-structure","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Access Tokens","url":"\u002Fdocs\u002Ftokens\u002Faccess-tokens","children":[{"title":"IDP Access Tokens","url":"\u002Fdocs\u002Ftokens\u002Fidentity-provider-access-tokens","hidden":true,"isActiveUrl":false},{"title":"Get Access Tokens","url":"\u002Fdocs\u002Ftokens\u002Faccess-tokens\u002Fget-access-tokens","hidden":true,"isActiveUrl":false},{"title":"Use Access Tokens","url":"\u002Fdocs\u002Ftokens\u002Faccess-tokens\u002Fuse-access-tokens","hidden":true,"isActiveUrl":false},{"title":"Validate Access Tokens","url":"\u002Fdocs\u002Ftokens\u002Faccess-tokens\u002Fvalidate-access-tokens","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens","children":[{"title":"Get Refresh Tokens","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Fget-refresh-tokens","hidden":true,"isActiveUrl":false},{"title":"Use Refresh Tokens","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Fuse-refresh-tokens","hidden":true,"isActiveUrl":false},{"title":"Revoke Refresh Tokens","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Frevoke-refresh-tokens","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Refresh Token Rotation","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Frefresh-token-rotation","children":[{"title":"Configure Refresh Token Rotation","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Fconfigure-refresh-token-rotation","hidden":true,"isActiveUrl":false},{"title":"Use Refresh Token Rotation","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Frefresh-token-rotation\u002Fuse-refresh-token-rotation","hidden":true,"isActiveUrl":false},{"title":"Disable Refresh Token Rotation","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Fdisable-refresh-token-rotation","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Refresh Token Expiration","url":"\u002Fdocs\u002Ftokens\u002Frefresh-tokens\u002Fconfigure-refresh-token-expiration","isActiveUrl":false},{"title":"Delegation Tokens","url":"\u002Fdocs\u002Ftokens\u002Fdelegation-tokens","hidden":true,"isActiveUrl":false},{"title":"JSON Web Tokens","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens","hidden":true,"children":[{"title":"Validate JSON Web Tokens","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens\u002Fvalidate-json-web-tokens","hidden":true,"isActiveUrl":false},{"title":"JSON Web Key Sets","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-sets","hidden":true,"children":[{"title":"Locate JSON Web Key Sets","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-sets\u002Flocate-json-web-key-sets","hidden":true,"isActiveUrl":false},{"title":"JSON Web Key Set Properties","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-key-set-properties","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"JSON Web Token Claims","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-token-claims","hidden":true,"children":[{"title":"Create Namespaced Custom Claims","url":"\u002Fdocs\u002Ftokens\u002Fcreate-namespaced-custom-claims","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Signing Algorithms","hidden":true,"isActiveUrl":false},{"title":"JSON Web Token Structure","url":"\u002Fdocs\u002Ftokens\u002Fjson-web-tokens\u002Fjson-web-token-structure","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Revoke Tokens","url":"\u002Fdocs\u002Ftokens\u002Frevoke-tokens","isActiveUrl":false}],"isActiveUrl":false},{"title":"Cookies","url":"\u002Fdocs\u002Fsessions\u002Fcookies","children":[{"title":"Authenticate SPAs with Cookies","url":"\u002Fdocs\u002Fsessions\u002Fcookies\u002Fspa-authenticate-with-cookies","hidden":true,"isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Data Privacy and Compliance","url":"\u002Fdocs\u002Fcompliance","children":[{"title":"GDPR","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr","children":[{"title":"Conditions for Consent","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-conditions-for-consent","hidden":true,"isActiveUrl":false},{"title":"Right to Access, Correct, and Erase Data","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-right-to-access-correct-and-erase-data","hidden":true,"isActiveUrl":false},{"title":"Data Minimization","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-data-minimization","hidden":true,"isActiveUrl":false},{"title":"Data Portability","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-data-portability","hidden":true,"isActiveUrl":false},{"title":"Protect and Secure User Data","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-protect-and-secure-user-data","hidden":true,"isActiveUrl":false},{"title":"Redirect Users to Consent Form","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-redirect-users-consent-form-hosted-webtask","hidden":true,"isActiveUrl":false},{"title":"Track Consent with Custom UI","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-track-consent-with-custom-ui","hidden":true,"isActiveUrl":false},{"title":"Track Consent with Lock","url":"\u002Fdocs\u002Fcompliance\u002Fgdpr\u002Fgdpr-track-consent-with-lock","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Data Processing","url":"\u002Fdocs\u002Fcompliance\u002Fdata-processing","isActiveUrl":false}],"isActiveUrl":false},{"title":"Best Practices","url":"\u002Fdocs\u002Fbest-practices","children":[{"title":"General Usage and Operations","url":"\u002Fdocs\u002Fbest-practices\u002Fgeneral-usage-and-operations-best-practices","isActiveUrl":false},{"title":"Application Settings","url":"\u002Fdocs\u002Fbest-practices\u002Fapp-settings-best-practices","hidden":true,"isActiveUrl":false},{"title":"Connection Settings","url":"\u002Fdocs\u002Fbest-practices\u002Fconnection-settings-best-practices","isActiveUrl":false},{"title":"Custom Databases and Scripts","url":"\u002Fdocs\u002Fbest-practices\u002Fcustom-database-connection-and-action-script-best-practices","children":[{"title":"Custom Database Connection Anatomy","url":"\u002Fdocs\u002Fbest-practices\u002Fcustom-database-connection-and-action-script-best-practices\u002Fcustom-db-connection-anatomy-best-practices","hidden":true,"isActiveUrl":false},{"title":"Custom Database Action Script Size","url":"\u002Fdocs\u002Fbest-practices\u002Fcustom-db-connections\u002Fsize","hidden":true,"isActiveUrl":false},{"title":"Custom Database Action Script Environment","url":"\u002Fdocs\u002Fbest-practices\u002Fcustom-database-connection-and-action-script-best-practices\u002Fcustom-db-action-script-environment-best-practices","hidden":true,"isActiveUrl":false},{"title":"Error Handling","url":"\u002Fdocs\u002Fbest-practices\u002Ferror-handling-best-practices","hidden":true,"isActiveUrl":false},{"title":"Debugging","url":"\u002Fdocs\u002Fbest-practices\u002Fdebugging-best-practices","hidden":true,"isActiveUrl":false},{"title":"Testing","url":"\u002Fdocs\u002Fbest-practices\u002Frules-testing-best-practices","hidden":true,"isActiveUrl":false},{"title":"Deployment","url":"\u002Fdocs\u002Fbest-practices\u002Fdeployment-best-practices","hidden":true,"isActiveUrl":false},{"title":"Performance","url":"\u002Fdocs\u002Fbest-practices\u002Fperformance-best-practices","hidden":true,"isActiveUrl":false},{"title":"Security","url":"\u002Fdocs\u002Fbest-practices\u002Fcustom-database-connection-and-action-script-best-practices\u002Fcustom-db-connection-security-best-practices","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Metadata","url":"\u002Fdocs\u002Fbest-practices\u002Fmetadata-best-practices","isActiveUrl":false},{"title":"Rules","url":"\u002Fdocs\u002Fbest-practices\u002Frules-best-practices","isActiveUrl":false},{"title":"Search","url":"\u002Fdocs\u002Fbest-practices\u002Fuser-search-best-practices","isActiveUrl":false},{"title":"Tenant Settings","url":"\u002Fdocs\u002Fbest-practices\u002Ftenant-settings-best-practices","hidden":true,"isActiveUrl":false},{"title":"Tokens","url":"\u002Fdocs\u002Fbest-practices\u002Ftoken-best-practices","isActiveUrl":false}],"isActiveUrl":false},{"title":"Support","url":"\u002Fdocs\u002Fsupport","children":[{"title":"Support Options","url":"\u002Fdocs\u002Fsupport","isActiveUrl":false},{"title":"Support Matrix","url":"\u002Fdocs\u002Fsupport\u002Fproduct-support-matrix","isActiveUrl":false},{"title":"SLA","url":"\u002Fdocs\u002Fsupport\u002Fsla","isActiveUrl":false},{"title":"Tickets","url":"\u002Fdocs\u002Fsupport\u002Fopen-and-manage-support-tickets","isActiveUrl":false},{"title":"Support Center Users","url":"\u002Fdocs\u002Fsupport\u002Fsupport-center-users","isActiveUrl":false},{"title":"Manage Subscription","url":"\u002Fdocs\u002Fsupport\u002Fmanage-subscriptions","isActiveUrl":false},{"title":"Operational Policies","url":"\u002Fdocs\u002Fpolicies","children":[{"title":"Billing","url":"\u002Fdocs\u002Fpolicies\u002Fbilling-policy","isActiveUrl":false},{"title":"Data Export and Transfer","url":"\u002Fdocs\u002Fpolicies\u002Fdata-export-and-transfer-policy","isActiveUrl":false},{"title":"Endpoints","url":"\u002Fdocs\u002Fsecurity\u002Fpublic-cloud-service-endpoints","isActiveUrl":false},{"title":"Load Testing","url":"\u002Fdocs\u002Fpolicies\u002Fload-testing-policy","isActiveUrl":false},{"title":"Penetration Testing","url":"\u002Fdocs\u002Fpolicies\u002Fpenetration-testing-policy","isActiveUrl":false},{"title":"Rate Limits","url":"\u002Fdocs\u002Fpolicies\u002Frate-limit-policy","children":[{"title":"Managment API Endpoint Rate Limits","url":"\u002Fdocs\u002Fpolicies\u002Frate-limit-policy\u002Fmanagement-api-endpoint-rate-limits","hidden":true,"isActiveUrl":false},{"title":"Authentication API Endpoint Rate Limits","url":"\u002Fdocs\u002Fpolicies\u002Frate-limit-policy\u002Fmanagement-api-endpoint-rate-limits","hidden":true,"isActiveUrl":false},{"title":"User\u002FPassword Authentication Rate Limits","url":"\u002Fdocs\u002Fpolicies\u002Frate-limit-policy\u002Fdatabase-connections-rate-limits","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Entity Limits","url":"\u002Fdocs\u002Fpolicies\u002Fentity-limit-policy","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false},{"title":"Professional Services","url":"\u002Fdocs\u002Fprofessional-services","children":[{"title":"Discover and Design","url":"\u002Fdocs\u002Fprofessional-services\u002Fdiscover-design","isActiveUrl":false},{"title":"Implement","url":"\u002Fdocs\u002Fprofessional-services\u002Fimplement","isActiveUrl":false},{"title":"Maintain and Improve","url":"\u002Fdocs\u002Fprofessional-services\u002Fmaintain-improve","isActiveUrl":false},{"title":"Packages","url":"\u002Fdocs\u002Fprofessional-services\u002Fpackages","isActiveUrl":false}],"isActiveUrl":false},{"title":"Auth0 Marketplace","external":true,"forceFullReload":true,"url":"https:\u002F\u002Fmarketplace.auth0.com\u002F","isActiveUrl":false},{"title":"Auth0 Community","external":true,"forceFullReload":true,"url":"https:\u002F\u002Fcommunity.auth0.com\u002F","isActiveUrl":false},{"title":"Auth0 Blog","external":true,"forceFullReload":true,"url":"https:\u002F\u002Fauth0.com\u002Fblog\u002F","isActiveUrl":false}],"apis":[{"title":"Overview","url":"\u002Fdocs\u002Fapi","isActiveUrl":true},{"title":"Testing with Postman","url":"\u002Fdocs\u002Fapi\u002Fuse-auth0-apis-with-postman-collections","isActiveUrl":false},{"title":"Authentication API","url":"\u002Fdocs\u002Fapi\u002Fauthentication","external":true,"forceFullReload":true,"isActiveUrl":false},{"title":"Changes in Management API v2","url":"\u002Fdocs\u002Fapi\u002Fmanagement-api-changes-v1-to-v2","forceFullReload":true,"isActiveUrl":false},{"title":"Management API Explorer","url":"\u002Fdocs\u002Fapi\u002Fmanagement\u002Fv2\u002F","forceFullReload":true,"external":true,"isActiveUrl":false}],"libraries":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries","isActiveUrl":false},{"title":"Auth0 Single Page App SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-single-page-app-sdk","children":[{"title":"Migrate from auth0.js","url":"\u002Fdocs\u002Flibraries\u002Fauth0-single-page-app-sdk\u002Fmigrate-from-auth0-js-to-the-auth0-single-page-app-sdk","hidden":true,"isActiveUrl":false}],"isActiveUrl":false},{"title":"Auth0 React SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-react","isActiveUrl":false},{"title":"Auth0 Angular SPA SDK","url":"\u002Fdocs\u002Flibraries\u002Fauth0-angular-spa","isActiveUrl":false},{"title":"Lock for Web","url":"\u002Fdocs\u002Flibraries\u002Flock","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock","isActiveUrl":false},{"title":"Configuration Options","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-configuration","isActiveUrl":false},{"title":"API Reference","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-api-reference","isActiveUrl":false},{"title":"UI Customization","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-ui-customization","isActiveUrl":false},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-internationalization","isActiveUrl":false},{"title":"Customizing Errors","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Fcustomize-lock-error-messages","isActiveUrl":false},{"title":"Authentication Modes","url":"\u002Fdocs\u002Flibraries\u002Flock\u002Flock-authentication-modes","isActiveUrl":false}],"isActiveUrl":false},{"title":"Lock for iOS","url":"\u002Fdocs\u002Flibraries\u002Flock-swift","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock-swift","isActiveUrl":false},{"title":"Styles Customization","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-customization","isActiveUrl":false},{"title":"Behavior Configuration","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-configuration-options","isActiveUrl":false},{"title":"Custom Fields","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-custom-fields-at-signup","isActiveUrl":false},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock-swift\u002Flock-swift-internationalization","isActiveUrl":false}],"isActiveUrl":false},{"title":"Lock for Android","url":"\u002Fdocs\u002Flibraries\u002Flock-android","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Flock-android","isActiveUrl":false},{"title":"Configuration Options","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-configuration","isActiveUrl":false},{"title":"Custom Auth Providers","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-authentication-providers","isActiveUrl":false},{"title":"Android Dev Keystores","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fandroid-development-keystores-hashes","isActiveUrl":false},{"title":"Custom Signup Fields","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-fields-at-signup","isActiveUrl":false},{"title":"Custom Theming","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-custom-theming","isActiveUrl":false},{"title":"Internationalization","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-internationalization","isActiveUrl":false},{"title":"Passwordless","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-passwordless","isActiveUrl":false},{"title":"Passwordless with Magic Link","url":"\u002Fdocs\u002Flibraries\u002Flock-android\u002Flock-android-passwordless-with-magic-link","isActiveUrl":false}],"isActiveUrl":false},{"title":"Lock vs. Custom UI","url":"\u002Fdocs\u002Funiversal-login\u002Funiversal-login-page-customization","isActiveUrl":false},{"title":"Auth0 SDK for Web","url":"\u002Fdocs\u002Flibraries\u002Fauth0js-v9-reference","isActiveUrl":false},{"title":"Auth0 SDK for iOS","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift","isActiveUrl":false},{"title":"Database Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-database-connections","isActiveUrl":false},{"title":"User Management","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-user-management","isActiveUrl":false},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-save-and-renew-tokens","isActiveUrl":false},{"title":"Touch ID \u002F Face ID","url":"\u002Fdocs\u002Flibraries\u002Fauth0-swift\u002Fauth0-swift-touchid-faceid","isActiveUrl":false}],"isActiveUrl":false},{"title":"Auth0 SDK for Android","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android","children":[{"title":"Overview","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android","isActiveUrl":false},{"title":"Login, Logout, and User Profiles","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-login-logout-and-user-profiles","isActiveUrl":false},{"title":"Configuration","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-configuration","isActiveUrl":false},{"title":"Database Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-database-authentication","isActiveUrl":false},{"title":"Passwordless Authentication","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-passwordless","isActiveUrl":false},{"title":"User Management","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-user-management","isActiveUrl":true},{"title":"Refresh Tokens","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-save-and-renew-tokens","isActiveUrl":false},{"title":"Custom Networking Client","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-custom-networking-client","isActiveUrl":false},{"title":"V2 Migration Guide","url":"\u002Fdocs\u002Flibraries\u002Fauth0-android\u002Fauth0-android-v2-migration-guide","isActiveUrl":false}],"isActiveUrl":true}],"videos":[{"title":"Learn Identity","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series","children":[{"title":"Introduction to Identity","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fintroduction-to-identity","isActiveUrl":false},{"title":"OpenID Connect and OAuth2","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fopenid-connect-and-oauth2","isActiveUrl":false},{"title":"Web Sign-In","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fweb-sign-in","isActiveUrl":true},{"title":"Calling an API","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fcalling-an-api","isActiveUrl":false},{"title":"Desktop and Mobile Apps","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fdesktop-and-mobile-apps","isActiveUrl":false},{"title":"Single Page Apps","url":"\u002Fdocs\u002Fvideos\u002Flearn-identity-series\u002Fsingle-page-apps","isActiveUrl":false}],"isActiveUrl":true},{"title":"Get Started","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series","children":[{"title":"Architect: Your Tenant","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Farchitect-your-tenant","isActiveUrl":false},{"title":"Provision: User Stores","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fprovision-user-stores","isActiveUrl":false},{"title":"Provision: Import Users","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fprovision-import-users","isActiveUrl":false},{"title":"Authenticate: How It Works","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthenticate-how-it-works","isActiveUrl":false},{"title":"Authenticate: SPA Example","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthenticate-spa-example","isActiveUrl":false},{"title":"Authorize: ID Tokens and Access Control","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthorize-id-tokens-and-access-control","isActiveUrl":false},{"title":"Authorize: Get and Validate ID Tokens","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fauthorize-get-and-validate-id-tokens","isActiveUrl":false},{"title":"User Profiles","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Flearn-user-profiles","isActiveUrl":false},{"title":"Brand: How It Works","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-how-it-works","isActiveUrl":false},{"title":"Brand: Sign Up and Login Pages","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-signup-and-login-pages","isActiveUrl":false},{"title":"Brand: Emails and Error Pages","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Fbrand-emails-and-error-pages","isActiveUrl":false},{"title":"Logout","url":"\u002Fdocs\u002Fvideos\u002Fget-started-series\u002Flearn-logout","isActiveUrl":false}],"isActiveUrl":false}],"identity-labs":[{"title":"Digital Identity Labs","url":"\u002Fdocs\u002Fidentity-labs","children":[{"title":"Lab 1: Web Sign-In","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in\u002Fidentity-lab-1-exercise-1","isActiveUrl":false},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-1-web-sign-in\u002Fidentity-lab-1-exercise-2","isActiveUrl":false}],"isActiveUrl":false},{"title":"Lab 2: Calling an API","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-1","isActiveUrl":false},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-2","isActiveUrl":false},{"title":"Exercise 3","url":"\u002Fdocs\u002Fidentity-labs\u002Fidentity-lab-2-calling-api\u002Fidentity-lab-2-exercise-3","isActiveUrl":false}],"isActiveUrl":false},{"title":"Lab 3: Mobile Native App","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-1","isActiveUrl":false},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-2","isActiveUrl":false},{"title":"Exercise 3","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-3-mobile-native-app\u002Fidentity-lab-3-exercise-3","isActiveUrl":false}],"isActiveUrl":false},{"title":"Lab 4: Single Page App","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app","children":[{"title":"Exercise 1","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app\u002Fidentity-lab-4-exercise-1","isActiveUrl":false},{"title":"Exercise 2","url":"\u002Fdocs\u002Fidentity-labs\u002Flab-4-single-page-app\u002Fidentity-lab-4-exercise-2","isActiveUrl":false}],"isActiveUrl":false}],"isActiveUrl":false}]}},"cards":null,"glossary":{"terms":[{"id":"access-token","title":"Access Token","definition":"A credential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header.","short":"An authorization credential, in the form of an opaque string or JWT, used to access an API."},{"id":"actions","title":"Actions","definition":"Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic.","short":"Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime."},{"id":"adaptive-multifactor-authentication","title":"Adaptive Multi-factor Authentication","definition":"Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors.","short":"Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors."},{"id":"application","title":"Application","definition":"Your software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.","short":"A unique identifier, \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, for an application (ID Token) or an API (Access Token)."},{"id":"attack-protection","title":"Attack Protection","definition":"Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.","short":"Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication."},{"id":"audience","title":"Audience","definition":"The unique identifier of the audience for an issued token, identified within a JSON Web Token as the `aud` claim. The audience value is either the application (`Client ID`) for an ID Token or the API that is being called (`API Identifier`) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format.","short":"A unique identifier, \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, for an application (ID Token) or an API (Access Token)."},{"id":"authentication-server","title":"Authentication Server","definition":"A server that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose).","short":"A server that confirms or denies a user’s identity."},{"id":"authorization-server","title":"Authorization Server","definition":"A centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity.","short":"A centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user."},{"id":"authorization-code","title":"Authorization Code","definition":"A random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow.","short":"A random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow."},{"id":"beta","title":"Beta","definition":"Product release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public).","short":"Product release stage during which the referemced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public)."},{"id":"bot-detection","title":"Bot Detection","definition":"A form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.","short":"A form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process."},{"id":"breached-password-protection","title":"Breached Password Protection","definition":"A form of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.","short":"A form of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app."},{"id":"breaking-change","title":"Breaking Change","definition":"Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.","short":"Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications."},{"id":"brute-force-protection","title":"Brute-force Protection","definition":"A form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.","short":"A form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account."},{"id":"callback","title":"Callback","definition":"The URL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication.","short":"The URL to which Auth0 sends its response after an API call and sometimes where a user is redirected after authentication."},{"id":"claim","title":"Claim","definition":"An attribute packaged in a security token which represents a claim that the provider of the token is making about an entity.","short":"An attribute packaged in a security token which represents a claim that the provider of the token is making about an entity."},{"id":"client-secret","title":"Client Secret","definition":"A secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.","short":"A secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to be not guessable."},{"id":"confidential-client","title":"Confidential Client","definition":"According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Confidential clients can hold credentials in a secure way without exposing them to unauthorized parties and require a trusted backend server to do so. They can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint and can have tokens issued to them that have been signed either symmetrically or asymmetrically.","short":"A client (application) that can hold credentials securely by using a trusted backend server. Examples include a web application with a secure backend and a machine-to-machine (M2M) application."},{"id":"confused-deputy","title":"Confused Deputy","definition":"The term confused deputy refers to a situation in which an attacker tricks a client or service into performing an action on their behalf.","short":"The term confused deputy refers to a situation in which an attacker tricks a client or service into performing an action on their behalf."},{"id":"connection","title":"Connection","definition":"The relationship between Auth0 and the sources of users for your applications. Examples include identity providers (such as Google or Active Directory), passwordless authentication methods, or user databases.","short":"The relationship between Auth0 and the sources of users for your applications."},{"id":"deprecation","title":"Deprecation","definition":"Product release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access.","short":"Product release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access."},{"id":"digital-identity","title":"Digital Identity","definition":"The set of attributes that define a particular user in the context of a function which is delivered by a particular application.","short":"The set of attributes that define a particular user in the context of a function which is delivered by a particular application."},{"id":"digital-signature","title":"Digital Signature","definition":"A digital signature protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.","short":"A digital signature protects bits in a token from tampering."},{"id":"directory","title":"Directory","definition":"A centralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup and pool of users. Allows single sign on to all applications that use the same directory of users.","short":"A centralized repository of users that allows single sign on to all applications that use the same directory."},{"id":"early-access","title":"Early Access","definition":"A product release stage during which the referemced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation.","short":"A product release stage during which the referemced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation."},{"id":"end-of-life","title":"End of Life","definition":"A product release stage indicating the referemced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window.","short":"A product release stage indicating the referemced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window."},{"id":"end-of-life-date","title":"End of Life Date","definition":"The date that access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.","short":"The date that access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types."},{"id":"flow","title":"Flow","definition":"Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.","short":"Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey."},{"id":"general-availability","title":"General Availability","definition":"A product release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release.","short":"A product release stage during which the referemced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release."},{"id":"group","title":"Group","definition":"A set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.","short":"A set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time."},{"id":"id-token","title":"ID Token","definition":"A credential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.","short":"A credential meant for the client itself, rather than for accessing a resource."},{"id":"idp","title":"Identity Provider (IdP)","definition":"A service that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers. Auth0 also can function as an identity provider for your applications.","short":"A service that stores and manages digital identities."},{"id":"json-web-token","title":"JSON Web Token (JWT)","definition":"An open, industry standard \u003Ca href='https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519'\u003ERFC 7519\u003C\u002Fa\u003E method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format. You may decode well-formed JWTs at \u003Ca href='https:\u002F\u002Fjwt.io'\u003EJWT.io\u003C\u002Fa\u003E to view their claims. See \u003Ca href='\u002Fdocs\u002Fjwt'\u003EJSON Web Tokens\u003C\u002Fa\u003E.","short":"The standard ID Token format and often Access Token format used to represent claims securely between two parties."},{"id":"lock","title":"Lock","definition":"Auth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience. Lock allows you to customize minor behavioral and appearance options, but its primary goal is ease of use. See \u003Ca href='\u002Fdocs\u002Flock'\u003ELock\u003C\u002Fa\u003E.","short":"Auth0's UI widget for authenticating users."},{"id":"migration","title":"Migration","definition":"A process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.","short":"A process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage."},{"id":"multifactor-authentication","title":"Multi-factor authentication (MFA)","definition":"An authentication process that considers multiple factors. Typically at Auth0, the first factor is the standard username\u002Fpassword exchange, and the second is a code or link via email or SMS, a one-time-password via an app such as Authy or Google Authenticator, or a push notification via a phone app such as Guardian or Duo. Using multiple factors allows your account to remain secure if someone captures one or the other factor--acquires your password or steals your phone, for example. See \u003Ca href='\u002Fdocs\u002Fmultifactor-authentication'\u003EMulti-factor Authentication\u003C\u002Fa\u003E.","short":"A user authentication process that uses a factor in addition to username and password such as a code via SMS."},{"id":"nonce","title":"Nonce","definition":"An arbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks using old communications. In other words, the nonce is only issued once, so if an attacker attempts to replay a transaction with a different nonce, its false transaction can be detected more easily. See \u003Ca href='\u002Fdocs\u002Fapi-auth\u002Ftutorials\u002Fnonce'\u003ENonce\u003C\u002Fa\u003E.","short":"An arbitrary number issued once in an authentication protocol to detect and prevent replay attacks."},{"id":"openid","title":"OpenID","definition":"An open standard for authentication that allows applications to verify users are who they say they are without needing to collect, store, and therefore become liable for a user’s login information. See \u003Ca href='\u002Fdocs\u002Fprotocols\u002Foidc'\u003EOpenID Connect (OIDC)\u003C\u002Fa\u003E.","short":"An open standard for authentication that allows applications to verify users' identities without collecting and storing login information."},{"id":"passwordless","title":"Passwordless","definition":"A form of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor. Passwordless uses one-time passwords, so users are less susceptible to the typical password-based attacks (e.g., dictionary or credential stuffing) than with traditional username\u002Fpassword logins. See \u003Ca href='\u002Fdocs\u002Fconnections\u002Fpasswordless'\u003EPasswordless\u003C\u002Fa\u003E.","short":"A form of authentication that does not rely on a password as the first factor."},{"id":"perimeter","title":"Perimeter","definition":"A set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory. In some implementations, this perimeter is a physical location; in others, it is a set of networks or devices connected via VPN.","short":"A set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory."},{"id":"product-release-stages","title":"Product Release Stages","definition":"Phases that describe how Auth0 stages, releases, and retires product functionality. Product features may not progress through all release stages, and the time in each stage will vary depending on the scope and impact of the feature.","short":"Phases that describe how Auth0 stages, releases, and retires product functionality."},{"id":"public-client","title":"Public Client","definition":"According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret. ID Tokens issued to them must be signed asymmetrically using a private key (RS256) and verified using the public key corresponding to the private key used to sign the token. See \u003Ca href=‘\u002Fapplications\u002Fconcepts\u002Fapp-types-confidential-public'\u003EApplication Types - Confidential vs. Public\u003C\u002Fa\u003E.","short":"A client (application) that cannot hold credentials securely. Examples include a native desktop or mobile application and a JavaScript-based client-side web application (such as a single-page app (SPA))."},{"id":"raw-credentials","title":"Raw Credentials","definition":"A shared secret or set of information that are agreed upon between the user and the resource that allow the resource to verify the identity of a user.","short":"A shared secret or set of information that are agreed upon between the user and the resource that allow the resource to verify the identity of a user."},{"id":"refresh-token","title":"Refresh Token","definition":"A special kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again. Using the Refresh Token, you can request a new Access Token at any time until the Refresh Token is blacklisted. See \u003Ca href='\u002Ftokens\u002Fconcepts\u002Frefresh-tokens'\u003ERefresh Tokens\u003C\u002Fa\u003E.","short":"A token used to obtain a renewed Access Token without forcing users to log in again."},{"id":"refresh-token-rotation","title":"Refresh Token Rotation","definition":"A strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.","short":"A strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token."},{"id":"relying-party","title":"Relying Party","definition":"An entity (such as a service or application) that depends on a third-party identity provider to authenticate a user.","short":"An entity (such as a service or application) that depends on a third-party identity provider to authenticate a user."},{"id":"resource-owner","title":"Resource Owner","definition":"An entity (such as a user or application) capable of granting access to a protected resource.","short":"An entity (such as a user or application) capable of granting access to a protected resource."},{"id":"resource-server","title":"Resource Server","definition":"A server hosting protected resources. Resource servers accept and respond to protected resource requests.","short":"A server hosting protected resources. Resource servers accept and respond to protected resource requests."},{"id":"role","title":"Role","definition":"An aspect of a user’s identity assigned to the user to indicate the level of access they should have to the system. Roles are essentially collections of permissions. See \u003Ca href='\u002Fdocs\u002Fauthorization\u002Fconcepts\u002Frbac'\u003ERole-based Access Control (RBAC)\u003C\u002Fa\u003E.","short":"An aspect of a user’s identity assigned to the user to give them a certain set of permissions."},{"id":"scope","title":"Scope","definition":"A mechanism that defines the specific actions applications can be allowed to do or information that they can request on a user’s behalf. Often, applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user’s behalf. When an app requests permission to access a resource through an authorization server, it uses the Scope parameter to specify what access it needs, and the authorization server uses the Scope parameter to respond with the access that was actually granted. See \u003Ca href='\u002Fdocs\u002Fscopes'\u003EScopes\u003C\u002Fa\u003E.","short":"A mechanism that determines actions applications can perform on a user's behalf with information previously created in an online resource."},{"id":"security-assertion-markup-language","title":"Security Assertion Markup Language (SAML)","definition":"An XML-based standardized protocol by which two parties can exchange authentication information without the use of a password. See \u003Ca href='\u002Fdocs\u002Fprotocols\u002Fsaml'\u003ESAML\u003C\u002Fa\u003E.","short":"A standardized protocol allowing two parties to exchange authentication information without a password."},{"id":"security-token","title":"Security Token","definition":"A digitally-signed artifact used to prove that the user was successfully authenticated.","short":"A digitally-signed artifact used to prove that the user was successfully authenticated."},{"id":"session-cookie","title":"Session Cookie","definition":"An entity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source (the identity provider). This entity represents the fact that successful authentication occurred with the identity provider. This cookie prevents this process with tokens from needing to be continually repeated, by allowing the user to be considered authenticated as long as the cookie is present.","short":"An entity that, when present, allows the user to be considered authenticated."},{"id":"shadow-accounts","title":"Shadow Accounts","definition":"A difficult to sustain practice of manually provisioning a user from a local directory separately in a remote directory (essentially creating a copy, or shadow, of the original account) when they need access to remote applications.","short":"A difficult to sustain practice of manually provisioning a user from a local directory separately in a remote directory."},{"id":"single-sign-on","title":"Single Sign-On (SSO)","definition":"A service that, after a user logs into one application, automatically logs that user in to other applications, regardless of the platform, technology, or domain the user is using. The user signs in only one time (hence the name of the feature). Similarly, Single Logout (SLO) occurs when, after a user logs out from one application, they are logged out of each application or service where they were logged in. SSO and SLO are possible through the use of sessions. See \u003Ca href='\u002Fdocs\u002Fsso'\u003ESingle Sign-On and Single Logout\u003C\u002Fa\u003E.","short":"A service that, after a user logs into one applicaton, automatically logs that user in to other applications."},{"id":"subscription","title":"Subscription","definition":"An agreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.","short":"An agreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations."},{"id":"suspicious-ip-throttling","title":"Suspicious IP Throttling","definition":"A form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.","short":"A form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address."},{"id":"tenant","title":"Tenant","definition":"At Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture.","short":"At Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture."},{"id":"token-endpoint","title":"Token Endpoint","definition":"The endpoint on the Authorization Server that is used to programmatically request tokens.","short":"The endpoint on the Authorization Server that is used to programmatically request tokens."},{"id":"trigger","title":"Trigger","definition":"An event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime. Some Triggers are executed synchronously, blocking the Flow in which they are involved, and some are executed asynchronously.","short":"An event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime."},{"id":"trust","title":"Trust","definition":"A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.","short":"A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users."},{"id":"universal-login","title":"Universal Login","definition":"Auth0’s implementation of the authentication flow, which is the key feature of an Authorization Server. Each time a user needs to prove their identity, your applications redirect to Universal Login, and Auth0 will do what’s needed to guarantee the user’s identity. See \u003Ca href='\u002Fdocs\u002Funiversal-login'\u003EAuth0 Universal Login\u003C\u002Fa\u003E.","short":"Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity."}],"termsByLetter":{"A":[{"id":"access-token","title":"Access Token","definition":"A credential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header.","short":"An authorization credential, in the form of an opaque string or JWT, used to access an API."},{"id":"actions","title":"Actions","definition":"Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic.","short":"Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime."},{"id":"adaptive-multifactor-authentication","title":"Adaptive Multi-factor Authentication","definition":"Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors.","short":"Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors."},{"id":"application","title":"Application","definition":"Your software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.","short":"A unique identifier, \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, for an application (ID Token) or an API (Access Token)."},{"id":"attack-protection","title":"Attack Protection","definition":"Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.","short":"Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication."},{"id":"audience","title":"Audience","definition":"The unique identifier of the audience for an issued token, identified within a JSON Web Token as the `aud` claim. The audience value is either the application (`Client ID`) for an ID Token or the API that is being called (`API Identifier`) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format.","short":"A unique identifier, \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, for an application (ID Token) or an API (Access Token)."},{"id":"authentication-server","title":"Authentication Server","definition":"A server that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose).","short":"A server that confirms or denies a user’s identity."},{"id":"authorization-server","title":"Authorization Server","definition":"A centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity.","short":"A centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user."},{"id":"authorization-code","title":"Authorization Code","definition":"A random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow.","short":"A random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow."}],"B":[{"id":"beta","title":"Beta","definition":"Product release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public).","short":"Product release stage during which the referemced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public)."},{"id":"bot-detection","title":"Bot Detection","definition":"A form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.","short":"A form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process."},{"id":"breached-password-protection","title":"Breached Password Protection","definition":"A form of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.","short":"A form of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app."},{"id":"breaking-change","title":"Breaking Change","definition":"Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.","short":"Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications."},{"id":"brute-force-protection","title":"Brute-force Protection","definition":"A form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.","short":"A form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account."}],"C":[{"id":"callback","title":"Callback","definition":"The URL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication.","short":"The URL to which Auth0 sends its response after an API call and sometimes where a user is redirected after authentication."},{"id":"claim","title":"Claim","definition":"An attribute packaged in a security token which represents a claim that the provider of the token is making about an entity.","short":"An attribute packaged in a security token which represents a claim that the provider of the token is making about an entity."},{"id":"client-secret","title":"Client Secret","definition":"A secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.","short":"A secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to be not guessable."},{"id":"confidential-client","title":"Confidential Client","definition":"According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Confidential clients can hold credentials in a secure way without exposing them to unauthorized parties and require a trusted backend server to do so. They can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint and can have tokens issued to them that have been signed either symmetrically or asymmetrically.","short":"A client (application) that can hold credentials securely by using a trusted backend server. Examples include a web application with a secure backend and a machine-to-machine (M2M) application."},{"id":"confused-deputy","title":"Confused Deputy","definition":"The term confused deputy refers to a situation in which an attacker tricks a client or service into performing an action on their behalf.","short":"The term confused deputy refers to a situation in which an attacker tricks a client or service into performing an action on their behalf."},{"id":"connection","title":"Connection","definition":"The relationship between Auth0 and the sources of users for your applications. Examples include identity providers (such as Google or Active Directory), passwordless authentication methods, or user databases.","short":"The relationship between Auth0 and the sources of users for your applications."}],"D":[{"id":"deprecation","title":"Deprecation","definition":"Product release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access.","short":"Product release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access."},{"id":"digital-identity","title":"Digital Identity","definition":"The set of attributes that define a particular user in the context of a function which is delivered by a particular application.","short":"The set of attributes that define a particular user in the context of a function which is delivered by a particular application."},{"id":"digital-signature","title":"Digital Signature","definition":"A digital signature protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.","short":"A digital signature protects bits in a token from tampering."},{"id":"directory","title":"Directory","definition":"A centralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup and pool of users. Allows single sign on to all applications that use the same directory of users.","short":"A centralized repository of users that allows single sign on to all applications that use the same directory."}],"E":[{"id":"early-access","title":"Early Access","definition":"A product release stage during which the referemced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation.","short":"A product release stage during which the referemced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation."},{"id":"end-of-life","title":"End of Life","definition":"A product release stage indicating the referemced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window.","short":"A product release stage indicating the referemced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window."},{"id":"end-of-life-date","title":"End of Life Date","definition":"The date that access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.","short":"The date that access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types."}],"F":[{"id":"flow","title":"Flow","definition":"Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.","short":"Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey."}],"G":[{"id":"general-availability","title":"General Availability","definition":"A product release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release.","short":"A product release stage during which the referemced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release."},{"id":"group","title":"Group","definition":"A set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.","short":"A set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time."}],"I":[{"id":"id-token","title":"ID Token","definition":"A credential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.","short":"A credential meant for the client itself, rather than for accessing a resource."},{"id":"idp","title":"Identity Provider (IdP)","definition":"A service that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers. Auth0 also can function as an identity provider for your applications.","short":"A service that stores and manages digital identities."}],"J":[{"id":"json-web-token","title":"JSON Web Token (JWT)","definition":"An open, industry standard \u003Ca href='https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519'\u003ERFC 7519\u003C\u002Fa\u003E method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format. You may decode well-formed JWTs at \u003Ca href='https:\u002F\u002Fjwt.io'\u003EJWT.io\u003C\u002Fa\u003E to view their claims. See \u003Ca href='\u002Fdocs\u002Fjwt'\u003EJSON Web Tokens\u003C\u002Fa\u003E.","short":"The standard ID Token format and often Access Token format used to represent claims securely between two parties."}],"L":[{"id":"lock","title":"Lock","definition":"Auth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience. Lock allows you to customize minor behavioral and appearance options, but its primary goal is ease of use. See \u003Ca href='\u002Fdocs\u002Flock'\u003ELock\u003C\u002Fa\u003E.","short":"Auth0's UI widget for authenticating users."}],"M":[{"id":"migration","title":"Migration","definition":"A process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.","short":"A process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage."},{"id":"multifactor-authentication","title":"Multi-factor authentication (MFA)","definition":"An authentication process that considers multiple factors. Typically at Auth0, the first factor is the standard username\u002Fpassword exchange, and the second is a code or link via email or SMS, a one-time-password via an app such as Authy or Google Authenticator, or a push notification via a phone app such as Guardian or Duo. Using multiple factors allows your account to remain secure if someone captures one or the other factor--acquires your password or steals your phone, for example. See \u003Ca href='\u002Fdocs\u002Fmultifactor-authentication'\u003EMulti-factor Authentication\u003C\u002Fa\u003E.","short":"A user authentication process that uses a factor in addition to username and password such as a code via SMS."}],"N":[{"id":"nonce","title":"Nonce","definition":"An arbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks using old communications. In other words, the nonce is only issued once, so if an attacker attempts to replay a transaction with a different nonce, its false transaction can be detected more easily. See \u003Ca href='\u002Fdocs\u002Fapi-auth\u002Ftutorials\u002Fnonce'\u003ENonce\u003C\u002Fa\u003E.","short":"An arbitrary number issued once in an authentication protocol to detect and prevent replay attacks."}],"O":[{"id":"openid","title":"OpenID","definition":"An open standard for authentication that allows applications to verify users are who they say they are without needing to collect, store, and therefore become liable for a user’s login information. See \u003Ca href='\u002Fdocs\u002Fprotocols\u002Foidc'\u003EOpenID Connect (OIDC)\u003C\u002Fa\u003E.","short":"An open standard for authentication that allows applications to verify users' identities without collecting and storing login information."}],"P":[{"id":"passwordless","title":"Passwordless","definition":"A form of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor. Passwordless uses one-time passwords, so users are less susceptible to the typical password-based attacks (e.g., dictionary or credential stuffing) than with traditional username\u002Fpassword logins. See \u003Ca href='\u002Fdocs\u002Fconnections\u002Fpasswordless'\u003EPasswordless\u003C\u002Fa\u003E.","short":"A form of authentication that does not rely on a password as the first factor."},{"id":"perimeter","title":"Perimeter","definition":"A set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory. In some implementations, this perimeter is a physical location; in others, it is a set of networks or devices connected via VPN.","short":"A set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory."},{"id":"product-release-stages","title":"Product Release Stages","definition":"Phases that describe how Auth0 stages, releases, and retires product functionality. Product features may not progress through all release stages, and the time in each stage will vary depending on the scope and impact of the feature.","short":"Phases that describe how Auth0 stages, releases, and retires product functionality."},{"id":"public-client","title":"Public Client","definition":"According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret. ID Tokens issued to them must be signed asymmetrically using a private key (RS256) and verified using the public key corresponding to the private key used to sign the token. See \u003Ca href=‘\u002Fapplications\u002Fconcepts\u002Fapp-types-confidential-public'\u003EApplication Types - Confidential vs. Public\u003C\u002Fa\u003E.","short":"A client (application) that cannot hold credentials securely. Examples include a native desktop or mobile application and a JavaScript-based client-side web application (such as a single-page app (SPA))."}],"R":[{"id":"raw-credentials","title":"Raw Credentials","definition":"A shared secret or set of information that are agreed upon between the user and the resource that allow the resource to verify the identity of a user.","short":"A shared secret or set of information that are agreed upon between the user and the resource that allow the resource to verify the identity of a user."},{"id":"refresh-token","title":"Refresh Token","definition":"A special kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again. Using the Refresh Token, you can request a new Access Token at any time until the Refresh Token is blacklisted. See \u003Ca href='\u002Ftokens\u002Fconcepts\u002Frefresh-tokens'\u003ERefresh Tokens\u003C\u002Fa\u003E.","short":"A token used to obtain a renewed Access Token without forcing users to log in again."},{"id":"refresh-token-rotation","title":"Refresh Token Rotation","definition":"A strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.","short":"A strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token."},{"id":"relying-party","title":"Relying Party","definition":"An entity (such as a service or application) that depends on a third-party identity provider to authenticate a user.","short":"An entity (such as a service or application) that depends on a third-party identity provider to authenticate a user."},{"id":"resource-owner","title":"Resource Owner","definition":"An entity (such as a user or application) capable of granting access to a protected resource.","short":"An entity (such as a user or application) capable of granting access to a protected resource."},{"id":"resource-server","title":"Resource Server","definition":"A server hosting protected resources. Resource servers accept and respond to protected resource requests.","short":"A server hosting protected resources. Resource servers accept and respond to protected resource requests."},{"id":"role","title":"Role","definition":"An aspect of a user’s identity assigned to the user to indicate the level of access they should have to the system. Roles are essentially collections of permissions. See \u003Ca href='\u002Fdocs\u002Fauthorization\u002Fconcepts\u002Frbac'\u003ERole-based Access Control (RBAC)\u003C\u002Fa\u003E.","short":"An aspect of a user’s identity assigned to the user to give them a certain set of permissions."}],"S":[{"id":"scope","title":"Scope","definition":"A mechanism that defines the specific actions applications can be allowed to do or information that they can request on a user’s behalf. Often, applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user’s behalf. When an app requests permission to access a resource through an authorization server, it uses the Scope parameter to specify what access it needs, and the authorization server uses the Scope parameter to respond with the access that was actually granted. See \u003Ca href='\u002Fdocs\u002Fscopes'\u003EScopes\u003C\u002Fa\u003E.","short":"A mechanism that determines actions applications can perform on a user's behalf with information previously created in an online resource."},{"id":"security-assertion-markup-language","title":"Security Assertion Markup Language (SAML)","definition":"An XML-based standardized protocol by which two parties can exchange authentication information without the use of a password. See \u003Ca href='\u002Fdocs\u002Fprotocols\u002Fsaml'\u003ESAML\u003C\u002Fa\u003E.","short":"A standardized protocol allowing two parties to exchange authentication information without a password."},{"id":"security-token","title":"Security Token","definition":"A digitally-signed artifact used to prove that the user was successfully authenticated.","short":"A digitally-signed artifact used to prove that the user was successfully authenticated."},{"id":"session-cookie","title":"Session Cookie","definition":"An entity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source (the identity provider). This entity represents the fact that successful authentication occurred with the identity provider. This cookie prevents this process with tokens from needing to be continually repeated, by allowing the user to be considered authenticated as long as the cookie is present.","short":"An entity that, when present, allows the user to be considered authenticated."},{"id":"shadow-accounts","title":"Shadow Accounts","definition":"A difficult to sustain practice of manually provisioning a user from a local directory separately in a remote directory (essentially creating a copy, or shadow, of the original account) when they need access to remote applications.","short":"A difficult to sustain practice of manually provisioning a user from a local directory separately in a remote directory."},{"id":"single-sign-on","title":"Single Sign-On (SSO)","definition":"A service that, after a user logs into one application, automatically logs that user in to other applications, regardless of the platform, technology, or domain the user is using. The user signs in only one time (hence the name of the feature). Similarly, Single Logout (SLO) occurs when, after a user logs out from one application, they are logged out of each application or service where they were logged in. SSO and SLO are possible through the use of sessions. See \u003Ca href='\u002Fdocs\u002Fsso'\u003ESingle Sign-On and Single Logout\u003C\u002Fa\u003E.","short":"A service that, after a user logs into one applicaton, automatically logs that user in to other applications."},{"id":"subscription","title":"Subscription","definition":"An agreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.","short":"An agreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations."},{"id":"suspicious-ip-throttling","title":"Suspicious IP Throttling","definition":"A form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.","short":"A form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address."}],"T":[{"id":"tenant","title":"Tenant","definition":"At Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture.","short":"At Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture."},{"id":"token-endpoint","title":"Token Endpoint","definition":"The endpoint on the Authorization Server that is used to programmatically request tokens.","short":"The endpoint on the Authorization Server that is used to programmatically request tokens."},{"id":"trigger","title":"Trigger","definition":"An event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime. Some Triggers are executed synchronously, blocking the Flow in which they are involved, and some are executed asynchronously.","short":"An event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime."},{"id":"trust","title":"Trust","definition":"A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.","short":"A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users."}],"U":[{"id":"universal-login","title":"Universal Login","definition":"Auth0’s implementation of the authentication flow, which is the key feature of an Authorization Server. Each time a user needs to prove their identity, your applications redirect to Universal Login, and Auth0 will do what’s needed to guarantee the user’s identity. See \u003Ca href='\u002Fdocs\u002Funiversal-login'\u003EAuth0 Universal Login\u003C\u002Fa\u003E.","short":"Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity."}]},"termsById":{"access-token":{"title":"Access Token","definition":"A credential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header.","short":"An authorization credential, in the form of an opaque string or JWT, used to access an API."},"actions":{"title":"Actions","definition":"Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic.","short":"Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime."},"adaptive-multifactor-authentication":{"title":"Adaptive Multi-factor Authentication","definition":"Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors.","short":"Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors."},"application":{"title":"Application","definition":"Your software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications.","short":"A unique identifier, \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, for an application (ID Token) or an API (Access Token)."},"attack-protection":{"title":"Attack Protection","definition":"Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication.","short":"Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication."},"audience":{"title":"Audience","definition":"The unique identifier of the audience for an issued token, identified within a JSON Web Token as the `aud` claim. The audience value is either the application (`Client ID`) for an ID Token or the API that is being called (`API Identifier`) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format.","short":"A unique identifier, \u003Cb\u003Eaud\u003C\u002Fb\u003E in a token, for an application (ID Token) or an API (Access Token)."},"authentication-server":{"title":"Authentication Server","definition":"A server that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose).","short":"A server that confirms or denies a user’s identity."},"authorization-server":{"title":"Authorization Server","definition":"A centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity.","short":"A centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user."},"authorization-code":{"title":"Authorization Code","definition":"A random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow.","short":"A random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow."},"beta":{"title":"Beta","definition":"Product release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public).","short":"Product release stage during which the referemced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a General Availability (GA) release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be restricted to a select number of subscribers (private) or open to all subscribers (public)."},"bot-detection":{"title":"Bot Detection","definition":"A form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process.","short":"A form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process."},"breached-password-protection":{"title":"Breached Password Protection","definition":"A form of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app.","short":"A form of attack protection in which Auth0 notifies your users if they use a username\u002Fpassword combination that has been compromised in a data leak on a third-party website or app."},"breaking-change":{"title":"Breaking Change","definition":"Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications.","short":"Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications."},"brute-force-protection":{"title":"Brute-force Protection","definition":"A form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account.","short":"A form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account."},"callback":{"title":"Callback","definition":"The URL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication.","short":"The URL to which Auth0 sends its response after an API call and sometimes where a user is redirected after authentication."},"claim":{"title":"Claim","definition":"An attribute packaged in a security token which represents a claim that the provider of the token is making about an entity.","short":"An attribute packaged in a security token which represents a claim that the provider of the token is making about an entity."},"client-secret":{"title":"Client Secret","definition":"A secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.","short":"A secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to be not guessable."},"confidential-client":{"title":"Confidential Client","definition":"According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Confidential clients can hold credentials in a secure way without exposing them to unauthorized parties and require a trusted backend server to do so. They can use grant types that require them to authenticate by specifying their client ID and secret when calling the token endpoint and can have tokens issued to them that have been signed either symmetrically or asymmetrically.","short":"A client (application) that can hold credentials securely by using a trusted backend server. Examples include a web application with a secure backend and a machine-to-machine (M2M) application."},"confused-deputy":{"title":"Confused Deputy","definition":"The term confused deputy refers to a situation in which an attacker tricks a client or service into performing an action on their behalf.","short":"The term confused deputy refers to a situation in which an attacker tricks a client or service into performing an action on their behalf."},"connection":{"title":"Connection","definition":"The relationship between Auth0 and the sources of users for your applications. Examples include identity providers (such as Google or Active Directory), passwordless authentication methods, or user databases.","short":"The relationship between Auth0 and the sources of users for your applications."},"deprecation":{"title":"Deprecation","definition":"Product release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access.","short":"Product release stage indicating that the referenced feature or behavior is not supported for use by new subscribers, is not actively being enhanced, and is being only minimally maintained. Tenants using the feature or behavior at the time of deprecation will continue to have access."},"digital-identity":{"title":"Digital Identity","definition":"The set of attributes that define a particular user in the context of a function which is delivered by a particular application.","short":"The set of attributes that define a particular user in the context of a function which is delivered by a particular application."},"digital-signature":{"title":"Digital Signature","definition":"A digital signature protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.","short":"A digital signature protects bits in a token from tampering."},"directory":{"title":"Directory","definition":"A centralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup and pool of users. Allows single sign on to all applications that use the same directory of users.","short":"A centralized repository of users that allows single sign on to all applications that use the same directory."},"early-access":{"title":"Early Access","definition":"A product release stage during which the referemced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation.","short":"A product release stage during which the referemced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to give them the opportunity to test and provide feedback on future functionality. At this stage, functionality may not be complete, but is ready for validation."},"end-of-life":{"title":"End of Life","definition":"A product release stage indicating the referemced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window.","short":"A product release stage indicating the referemced feature or behavior is removed from the platform. Continued use of the feature or behavior will likely result in errors. The new behavior will automatically be enabled for Tenants that did not opt in during the migration window."},"end-of-life-date":{"title":"End of Life Date","definition":"The date that access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.","short":"The date that access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types."},"flow":{"title":"Flow","definition":"Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.","short":"Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey."},"general-availability":{"title":"General Availability","definition":"A product release stage during which the referenced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release.","short":"A product release stage during which the referemced feature or behavior is fully functional and available to all subscribers (limited by pricing tier) for production use. If a new release replaces an existing feature, Auth0 provides a period of backward compatibility in accordance with our deprecation policy and informs customers so they have time to adopt the new release."},"group":{"title":"Group","definition":"A set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.","short":"A set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time."},"id-token":{"title":"ID Token","definition":"A credential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.","short":"A credential meant for the client itself, rather than for accessing a resource."},"idp":{"title":"Identity Provider (IdP)","definition":"A service that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers. Auth0 also can function as an identity provider for your applications.","short":"A service that stores and manages digital identities."},"json-web-token":{"title":"JSON Web Token (JWT)","definition":"An open, industry standard \u003Ca href='https:\u002F\u002Ftools.ietf.org\u002Fhtml\u002Frfc7519'\u003ERFC 7519\u003C\u002Fa\u003E method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format. You may decode well-formed JWTs at \u003Ca href='https:\u002F\u002Fjwt.io'\u003EJWT.io\u003C\u002Fa\u003E to view their claims. See \u003Ca href='\u002Fdocs\u002Fjwt'\u003EJSON Web Tokens\u003C\u002Fa\u003E.","short":"The standard ID Token format and often Access Token format used to represent claims securely between two parties."},"lock":{"title":"Lock","definition":"Auth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience. Lock allows you to customize minor behavioral and appearance options, but its primary goal is ease of use. See \u003Ca href='\u002Fdocs\u002Flock'\u003ELock\u003C\u002Fa\u003E.","short":"Auth0's UI widget for authenticating users."},"migration":{"title":"Migration","definition":"A process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage.","short":"A process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation product release stage."},"multifactor-authentication":{"title":"Multi-factor authentication (MFA)","definition":"An authentication process that considers multiple factors. Typically at Auth0, the first factor is the standard username\u002Fpassword exchange, and the second is a code or link via email or SMS, a one-time-password via an app such as Authy or Google Authenticator, or a push notification via a phone app such as Guardian or Duo. Using multiple factors allows your account to remain secure if someone captures one or the other factor--acquires your password or steals your phone, for example. See \u003Ca href='\u002Fdocs\u002Fmultifactor-authentication'\u003EMulti-factor Authentication\u003C\u002Fa\u003E.","short":"A user authentication process that uses a factor in addition to username and password such as a code via SMS."},"nonce":{"title":"Nonce","definition":"An arbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks using old communications. In other words, the nonce is only issued once, so if an attacker attempts to replay a transaction with a different nonce, its false transaction can be detected more easily. See \u003Ca href='\u002Fdocs\u002Fapi-auth\u002Ftutorials\u002Fnonce'\u003ENonce\u003C\u002Fa\u003E.","short":"An arbitrary number issued once in an authentication protocol to detect and prevent replay attacks."},"openid":{"title":"OpenID","definition":"An open standard for authentication that allows applications to verify users are who they say they are without needing to collect, store, and therefore become liable for a user’s login information. See \u003Ca href='\u002Fdocs\u002Fprotocols\u002Foidc'\u003EOpenID Connect (OIDC)\u003C\u002Fa\u003E.","short":"An open standard for authentication that allows applications to verify users' identities without collecting and storing login information."},"passwordless":{"title":"Passwordless","definition":"A form of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor. Passwordless uses one-time passwords, so users are less susceptible to the typical password-based attacks (e.g., dictionary or credential stuffing) than with traditional username\u002Fpassword logins. See \u003Ca href='\u002Fdocs\u002Fconnections\u002Fpasswordless'\u003EPasswordless\u003C\u002Fa\u003E.","short":"A form of authentication that does not rely on a password as the first factor."},"perimeter":{"title":"Perimeter","definition":"A set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory. In some implementations, this perimeter is a physical location; in others, it is a set of networks or devices connected via VPN.","short":"A set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory."},"product-release-stages":{"title":"Product Release Stages","definition":"Phases that describe how Auth0 stages, releases, and retires product functionality. Product features may not progress through all release stages, and the time in each stage will vary depending on the scope and impact of the feature.","short":"Phases that describe how Auth0 stages, releases, and retires product functionality."},"public-client":{"title":"Public Client","definition":"According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public depending on whether or not they are able to hold credentials (such as a client ID and secret) securely. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret. ID Tokens issued to them must be signed asymmetrically using a private key (RS256) and verified using the public key corresponding to the private key used to sign the token. See \u003Ca href=‘\u002Fapplications\u002Fconcepts\u002Fapp-types-confidential-public'\u003EApplication Types - Confidential vs. Public\u003C\u002Fa\u003E.","short":"A client (application) that cannot hold credentials securely. Examples include a native desktop or mobile application and a JavaScript-based client-side web application (such as a single-page app (SPA))."},"raw-credentials":{"title":"Raw Credentials","definition":"A shared secret or set of information that are agreed upon between the user and the resource that allow the resource to verify the identity of a user.","short":"A shared secret or set of information that are agreed upon between the user and the resource that allow the resource to verify the identity of a user."},"refresh-token":{"title":"Refresh Token","definition":"A special kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again. Using the Refresh Token, you can request a new Access Token at any time until the Refresh Token is blacklisted. See \u003Ca href='\u002Ftokens\u002Fconcepts\u002Frefresh-tokens'\u003ERefresh Tokens\u003C\u002Fa\u003E.","short":"A token used to obtain a renewed Access Token without forcing users to log in again."},"refresh-token-rotation":{"title":"Refresh Token Rotation","definition":"A strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token.","short":"A strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token."},"relying-party":{"title":"Relying Party","definition":"An entity (such as a service or application) that depends on a third-party identity provider to authenticate a user.","short":"An entity (such as a service or application) that depends on a third-party identity provider to authenticate a user."},"resource-owner":{"title":"Resource Owner","definition":"An entity (such as a user or application) capable of granting access to a protected resource.","short":"An entity (such as a user or application) capable of granting access to a protected resource."},"resource-server":{"title":"Resource Server","definition":"A server hosting protected resources. Resource servers accept and respond to protected resource requests.","short":"A server hosting protected resources. Resource servers accept and respond to protected resource requests."},"role":{"title":"Role","definition":"An aspect of a user’s identity assigned to the user to indicate the level of access they should have to the system. Roles are essentially collections of permissions. See \u003Ca href='\u002Fdocs\u002Fauthorization\u002Fconcepts\u002Frbac'\u003ERole-based Access Control (RBAC)\u003C\u002Fa\u003E.","short":"An aspect of a user’s identity assigned to the user to give them a certain set of permissions."},"scope":{"title":"Scope","definition":"A mechanism that defines the specific actions applications can be allowed to do or information that they can request on a user’s behalf. Often, applications will want to make use of the information that has already been created in an online resource. To do so, the application must ask for authorization to access this information on a user’s behalf. When an app requests permission to access a resource through an authorization server, it uses the Scope parameter to specify what access it needs, and the authorization server uses the Scope parameter to respond with the access that was actually granted. See \u003Ca href='\u002Fdocs\u002Fscopes'\u003EScopes\u003C\u002Fa\u003E.","short":"A mechanism that determines actions applications can perform on a user's behalf with information previously created in an online resource."},"security-assertion-markup-language":{"title":"Security Assertion Markup Language (SAML)","definition":"An XML-based standardized protocol by which two parties can exchange authentication information without the use of a password. See \u003Ca href='\u002Fdocs\u002Fprotocols\u002Fsaml'\u003ESAML\u003C\u002Fa\u003E.","short":"A standardized protocol allowing two parties to exchange authentication information without a password."},"security-token":{"title":"Security Token","definition":"A digitally-signed artifact used to prove that the user was successfully authenticated.","short":"A digitally-signed artifact used to prove that the user was successfully authenticated."},"session-cookie":{"title":"Session Cookie","definition":"An entity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source (the identity provider). This entity represents the fact that successful authentication occurred with the identity provider. This cookie prevents this process with tokens from needing to be continually repeated, by allowing the user to be considered authenticated as long as the cookie is present.","short":"An entity that, when present, allows the user to be considered authenticated."},"shadow-accounts":{"title":"Shadow Accounts","definition":"A difficult to sustain practice of manually provisioning a user from a local directory separately in a remote directory (essentially creating a copy, or shadow, of the original account) when they need access to remote applications.","short":"A difficult to sustain practice of manually provisioning a user from a local directory separately in a remote directory."},"single-sign-on":{"title":"Single Sign-On (SSO)","definition":"A service that, after a user logs into one application, automatically logs that user in to other applications, regardless of the platform, technology, or domain the user is using. The user signs in only one time (hence the name of the feature). Similarly, Single Logout (SLO) occurs when, after a user logs out from one application, they are logged out of each application or service where they were logged in. SSO and SLO are possible through the use of sessions. See \u003Ca href='\u002Fdocs\u002Fsso'\u003ESingle Sign-On and Single Logout\u003C\u002Fa\u003E.","short":"A service that, after a user logs into one applicaton, automatically logs that user in to other applications."},"subscription":{"title":"Subscription","definition":"An agreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations.","short":"An agreement that defines the features and quotas available for each of your tenants. Auth0 has multiple subscription levels to meet the needs of different developers and organizations."},"suspicious-ip-throttling":{"title":"Suspicious IP Throttling","definition":"A form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.","short":"A form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address."},"tenant":{"title":"Tenant","definition":"At Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture.","short":"At Auth0, a logically-isolated group of users who share common access with specific privileges to a single software instance. No tenant can access the data of another tenant, even though multiple tenants might be running on the same machine. Tenant, in general, is a term borrowed from software multitenant architecture."},"token-endpoint":{"title":"Token Endpoint","definition":"The endpoint on the Authorization Server that is used to programmatically request tokens.","short":"The endpoint on the Authorization Server that is used to programmatically request tokens."},"trigger":{"title":"Trigger","definition":"An event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime. Some Triggers are executed synchronously, blocking the Flow in which they are involved, and some are executed asynchronously.","short":"An event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime."},"trust":{"title":"Trust","definition":"A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.","short":"A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users."},"universal-login":{"title":"Universal Login","definition":"Auth0’s implementation of the authentication flow, which is the key feature of an Authorization Server. Each time a user needs to prove their identity, your applications redirect to Universal Login, and Auth0 will do what’s needed to guarantee the user’s identity. See \u003Ca href='\u002Fdocs\u002Funiversal-login'\u003EAuth0 Universal Login\u003C\u002Fa\u003E.","short":"Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity."}},"termLetters":["A","B","C","D","E","F","G","I","J","L","M","N","O","P","R","S","T","U"]},"breadcrumbs":[{"title":"Docs","url":"\u002Fdocs"},{"title":"Login","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin","path":"login"},{"title":"Adopt OIDC-Conformant Authentication","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication","path":"login\u002Fadopt-oidc-conformant-authentication"},{"title":"OIDC-Conformant Adoption: Resource Owner Password Flow","url":"https:\u002F\u002Fauth0.com\u002Fdocs\u002Flogin\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow","path":"login\u002Fadopt-oidc-conformant-authentication\u002Foidc-adoption-rop-flow"}],"sidebarBreadcrumbs":[]},"AbStore":{"docExperiments":{}}}},"options":{"optimizePromiseCallback":false},"plugins":{"DevToolsPlugin":{"actionHistory":[],"enableDebug":false}}},"plugins":{"ServiceProxyPlugin":{}}};</script><script src="https://cdn2.auth0.com/docs/js/client.bcdd80402e33c1bd8c75.bundle.js"></script><script> _linkedin_data_partner_id = "30812"; (function () { var s = document.getElementsByTagName("script")[0]; var b = document.createElement("script"); b.type = "text/javascript"; b.async = true; b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js"; s.parentNode.insertBefore(b, s); })(); </script></body></html>