Docs

Multi-factor Authentication in Auth0

Redirect Users After Logout

Applications

Execute an Authorization Code Grant Flow with PKCE

Using the Auth0 API with our Postman Collections

Call API Using the Client Credentials Flow

Call API Using Authorization Code Flow with PKCE

Access Tokens for the Management API

Where to Store Tokens

Browser-Based vs. Native Login Flows on Mobile Devices

SAML

Auth0 Universal Login

Special Configuration Scenarios: Signing and Encrypting SAML Requests

Manage Roles

Metadata

Implementation Planning Checklists

Implementation Planning Checklists

Authorization Code grant

OAuth 2.0 Authorization Framework

Custom Domains

Rules

Applications

Lock for Android v2

Versionv2

Send Logging Events to Segment

Auth0 Security Bulletin for Vulnerable Patterns in Custom Rule Code

JSON Web Tokens

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Change Users' Passwords

How to Use the JSON Web Key Set Endpoint

Connect your app to Active Directory

Custom Email Handling

Auth0 Overview

Session Use Cases

Use an Access Token

Authorization Code Flow

Auth0 Universal Login

Auth0 Single Page App SDK

New Universal Login Experience

JSON Web Tokens

Add Sign in with Apple to Your App

Auth0.swift Touch ID Authentication

Validate a JSON Web Token

Which OAuth 2.0 Flow Should I Use?

Universal Login Page Customization

Enabling API Access to the Authorization Extension

Versionv2

Custom Database Connection and Action Script Best Practices

Support Options

Auth0 Logs to Sumo Logic

auth0.js v9 Reference

Versionv9

Auth0 APIs

Why You Should Always Use Access Tokens to Secure APIs

Access Tokens for the Management API

User profile claims and scope

Get Access Tokens for Production

Connect your app to Microsoft Azure Active Directory

Versionv2

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

Linking User Accounts

Passwordless Connections

Lock Configuration Options

Versionv11

Auth0 APIs

Log Users Out of SAML Identity Providers

JSON Web Tokens

Call API Using the Authorization Code Flow

Lock v11 for Web

Versionv11

How to implement the Client Credentials Grant

Invite-Only Applications

OAuth 2.0 Authorization Framework

Call APIs from Highly Trusted Applications

Change User Pictures

Auth0 APIs

Server + API: Solution Overview

State Parameter

Lock Authentication Parameters

Versionv11

Installing the Authorization Extension

Versionv2

OpenID Connect Scopes

Versioncurrent

Mitigate replay attacks when using the Implicit Flow

Tenant's and Application’s Default Login Route

Auth0 Extensions

How to Implement the Hybrid Flow

How to implement the Client Credentials Grant

Add Microsoft Account Login to Your App

Impersonate Users Using the Dashboard

Impersonation has been deprecated and will not be enabled for new customers. The functionality will continue to work for existing customers who currently have it enabled. If at some point the impersonation feature is changed or removed from service, customers who currently use it will be notified beforehand and given ample time to migrate.

You may need to impersonate other users for testing or troubleshooting purposes. You can:

  • Log in to an app as a specific user.
  • See everything exactly as that user sees it.
  • Do everything exactly as that user does it.

Auth0 provides a Sign in As feature for user impersonation, and provides the following features and information:

  • Detailed auditing of who impersonated when.
  • Restrictions on impersonation which allows you to reject an impersonated authentication transaction based on, for instance, corporate policies around privacy and sensitive data.
  • Unlimited customization on who can impersonate who, when, depending on whatever context, using our Rules engine. In a Rule, you have access to user.impersonated (the impersonated login) and user.impersonator (the impersonating login) and you can write arbitrary Javascript to define how it works.

Any Rules that you have implemented will run when you impersonate a user, including any actions that update the user.

Impersonation does not work with Authorization API

Impersonation does not work with the API Authorization features. This means that the audience parameter will be ignored, and the Access Token returned to applications when using this flow is only valid for requests to the /userinfo endpoint.

What is multi-factor authentication?

Limitations

Application categories

1. Create a Code Verifier

Installing the Collections

Prerequisites

Prerequisites

Keep reading

Regular web apps

Calling the API from your application

Configure Auth0 APIs

Ways to use scopes

Single Sign-on across native applications

Common settings:

Choosing an experience

Auth0 as the SAML Service Provider

Keep reading

Metadata Best Practices

Configure Auth0

Authentication request

OAuth roles

Prerequisites

Project Planning Guide

What can I use Rules for?

Application categories

Configure Auth0

Requirements

Configure Auth0

1. Find your Segment Write Key

Overview

Configure Auth0

Use of JWTs

How it works

Trigger an interactive password reset flow

How many signing keys should I expect?

Configure Auth0

Create an AD/LDAP Connection in Auth0

Verification Email

Why use Auth0?

For SPAs using Authorization Code grant

Read more

How it works

Choosing an experience

Installation

Login

Use of JWTs

Prerequisites

Getting Started

Middleware

OAuth 2.0 terminology

Configure Auth0

When to Implement Lock vs. a Custom UI

Enable API Access

Custom database connection best practices

Support Options Overview

Configure Auth0

Step 1: Create a Sumo Logic HTTP endpoint

Ready-to-go example

Authentication API

Identity Tokens

Keep reading

Configure Auth0

Configure Auth0 APIs

Standard claims

Prerequisite

Step-by-step guide

How it works

Advantages of linking accounts

Benefits

Index of Configurable Options

Authentication API

Keep reading

Use of JWTs

Prerequisites

Lock Installation

Ask for a token

Configure Auth0

Example Scenario: ExampleCo

OAuth roles

Overview

Change the default picture for all users

Configure Auth0

Authentication API

API Authentication and Authorization

CSRF attacks

Supported parameters

Install the Extension

Standard claims

Generate a cryptographically random nonce

Scenarios for redirecting to the default login route

Pre-defined Extensions

Prerequisites

Ask for a token

1. Set up your app in the Microsoft Azure portal

Impersonation and Login CSRF attacks

To avoid Login CSRF attacks, the OAuth 2.0 specification recommends that applications use the state parameter to make sure that the response they receive matches the authentication request and originates from the same session.

However, applications that check for a valid state parameter will not work with Impersonation, since Impersonation works by sending authenticated responses to applications that never requested authentication. If you are building a single-page application where the authentication results are processed by Lock or Auth0.js, you can disable checking of state to allow Impersonation.

Impersonation leaves your application vulnerable to CSRF attacks, since the flag allows the bypassing of the CSRF check from the state parameter if this parameter is missing from the authorization response. By using impersonation, you acknowledge that you understand and accept these risks.

If you are using Auth0.js, you have to update the webAuth.parseHash of the library and set the flag __enableIdPInitiatedLogin to true.

If you're using Lock, you can include the flag using the options parameter sent to the constructor.

Here's the flag itself:

Note that the enableIdPInitiatedLogin flag is preceded by one underscore when used with Lock and two underscores when used with the auth0.js library.

Implement MFA with Auth0

Additional requirements for Facebook

Keep reading

2. Create a Code Challenge

Configuring the Postman Environment

Steps

Steps

Native/mobile apps

Obtaining an Access Token

Create an API

Best practices

SSO across devices/desktops/laptops

Encrypted assertions:

Simple Customization

Sign the SAML Authentication Request

Rules

Get Your Application Keys

Authentication response

Protocol flow

Features supporting use of custom domains

Multiple Organization Architecture (Multitenancy)

Syntax

Keep reading

Get Your Application Keys

Installation

Get Your Application Keys

2. Record sign-up and log-in events in Segment

Table of Contents

Get Your Application Keys

Security

How to implement it

Use the Authentication API

Should I cache my signing keys?

Get Your Application Keys

Install the connector on your network

Custom redirect

Which industry standards does Auth0 use?

User logs in with username and password

How to implement it

Simple Customization

Getting Started

Multi-Factor Authentication

Security

How it works

Credentials Manager

Third-party libraries

Is the Client the Resource Owner?

Get Your Application Keys

Lock

Access the Extension's API

Security

Community Support

Get Your Application Keys

Step 2: Configure the Extension

Setup and initialization

Management API v2

Access Tokens

Get Your Application Keys

Create an API

Custom claims

Get Access Tokens

1. Create a new application

How to implement it

The linking process

Supported authentication methods

Display

Management API v2

Security

Steps

Installation Sources

Modify scopes and claims

Get Your Application Keys

Setup your Application

Protocol flow

How to implement the flow

Keep reading

Get Your Application Keys

Management API v2

Client Credentials Grant

Redirect users

scope {string}

Webtask Storage

Keep reading

Persist nonces across requests

Users bookmarking the login page

Authorization

1. Get the User's Authorization

Modify scopes and claims

2. Add credentials to your Microsoft app

Impersonate users using the Dashboard

  1. Use the Dashboard to log in to your app as a user.

  2. Navigate to the Users page in the Auth0 Dashboard and select the user you want to log in as. Click on the Sign in as User and select the application you want to log in to using the dropdown menu.

Impersonate a User

I can't see the button

Can't see the button? The following conditions are required for the button display:

  • The applications registered in the tenant must have at least one callback URL listed.
  • The applications must have the connections that the impersonated user belongs to turned on.

A popup displays the URL to be used in order to impersonate the user. You can choose either to copy the URL into the clipboard (white button) or open it in a separate browser tab/window (blue button).

  1. Copy the URL into the clipboard (white button) or open the URL in a separate browser tab/window (blue button).

Impersonate a User

Acquiring a token

Impersonating a user using the Dashboard will not return an ID Token to your application by default. There are two ways to achieve this. You can alter the Response Type setting in the impersonation menu's Advanced Settings from Code to Token (Sign in as user -> Show Advanced Settings). Alternatively, you can add additionalParameters.scope: "openid" to the request body while calling the impersonation endpoint manually.

1. Enable the factors you require

Keep reading

3. Get the User's Authorization

Executing a request

Request Token

Create a Code Verifier

Single-page apps

Test Your API

Define Permissions

Requested scopes versus granted scopes

Phishing and security issues

IdP-initiated Single Sign-on

Implement Universal Login

Enable/Disable Deflate Encoding

Auth0 APIs

Install Dependencies

Code exchange request

Authorization grant types

Certificate management

Get started

Execution order

Configure Callback URLs

Dashboard settings

Configure Callback URLs

3. Check your integration

Improper MFA rules

Configure Callback URLs

Next steps

Keep reading

Use Lock

Read more

Configure Callback URLs

Next Steps

Welcome Email

Keep reading

User logs in with identity provider

Keep reading

Implement Universal Login

Create the client

Password Reset

Next steps

Keep reading

Login

Manually implement the checks

Is the Client a web app executing on the server?

Configure Callback URLs

When to use Lock

Create the Application

Database action script best practices

Standard Support

Configure Callback URLs

Batch size

Configure your Auth0 application for embedded login

Management API v1 - DEPRECATED

How not to use tokens

Configure Callback URLs

Define Permissions

Token refresh flow and custom claims

Use Auth0's Node.js Client Library

2. Configure the permissions

Keep reading

Merging Metadata

Implement Passwordless

Theming

Management API v1 - DEPRECATED

Next steps

Authorize the User

Mobile

Verify the token

Configure Callback URLs

Import Users

Authorization grant types

Realm Support

Configure Callback URLs

Management API v1 - DEPRECATED

Limitations

Example: retrieve a token

Amazon S3

Validate the ID Token

Completing the password reset flow

Connections

2. Parsing the Response

Verify the token

3. Create and enable a connection in Auth0

Advanced settings

When impersonating a user in Dashboard, after clicking Sign in as User you will see a link to expand "Advanced Settings."

Advanced Settings

This reveals fields to make it easier to Impersonate a User Using the Impersonation API:

  • Response mode: GET or POST. This is only for server side apps, client side apps default to GET.
  • Response type: Code or Token. This is only for server side apps, client side apps default to Token.
  • Scope: This field will have openid in it is as default, other scopes can be added as a list using whitespace as separator.
  • State: The state is a required parameter and leaving it blank may lead to errors like Impersonation - Bad mac. For more information, see State Parameter.

Always require multi-factor authentication

4. Exchange the Authorization Code for an Access Token

A word about storing tokens in Postman variables

Example POST to token URL

Create a Code Challenge

Don't store tokens in local storage

Configure the Sample project

Keep reading

Implementation time

Metadata

Using the SPA SDK

Use a custom certificate to sign requests

Metadata usage

yarn

Code exchange response

OAuth endpoints

How to configure custom domains

Implementation planning checklists

Available modules

Configure Logout URLs

Callback URL

Configure Logout URLs

Keep reading

Silent authentication

Configure Logout URLs

Read more

Directly set the new password

Configure Logout URLs

Change Password Confirmation Email

For SPAs with no backend using the Implicit grant

Using the SPA SDK

Login and get user info

Email Verification

Read more

Renew User Credentials

Check that the JWT is well-formed

Is the Client absolutely trusted with user credentials?

Configure Logout URLs

Custom User Interface

Get the Access Token

Script checklist

Enterprise Support (with or without Premier Support)

Configure Logout URLs

How to view the results

Installation options

Compare the tokens

Configure Logout URLs

Configure the Sample project

Keep reading

Use Access Tokens

3. Allowing access from external organizations (optional)

Use the Management API

Limitations

Authentication

Read more

Example authorization URL

Bundling Dependencies

Sample application

Configure Logout URLs

Email Verification

OAuth endpoints

Scopes

Configure Logout URLs

Keep reading

state {string}

Keep Reading

Completing the email verification flow

Manage users

Access Tokens

Sample application

4. Test the connection

Keep reading