You can add login to your regular web application using the Authorization Code Flow. To learn how the flow works and why you should use it, read Authorization Code Flow. To call your API from a regular web app, read Call Your API Using the Authorization Code Flow.To implement the Authorization Code Flow, Auth0 provides the following resources:
Authentication API: If you prefer to build your own solution, keep reading to learn how to call our API directly.
Following a successful login, your application will have access to the user’s and . The ID token contains basic user profile information, and the access token can be used to call the Auth0 /userinfo endpoint or your own protected APIs. To learn more about ID tokens, read ID Tokens. To learn more about access tokens, read Access Tokens.You will request the user’s authorization and redirect back to your app with an authorization_code. Then you will exchange the code for tokens.
Denotes the kind of credential that Auth0 will return (code or token). For this flow, the value must be code.
client_id
Your application’s Client ID. You can find this value in your Application Settings.
redirect_uri
The URL to which Auth0 will redirect the browser after authorization has been granted by the user. The Authorization Code will be available in the code URL parameter. You must specify this URL as a valid callback URL in your Application Settings.
Warning: Per the OAuth 2.0 Specification, Auth0 removes everything after the hash and does not honor any fragments.
scope
Specifies the scopes for which you want to request authorization, which dictate which claims (or user attributes) you want returned. These must be separated by a space. To get an ID Token in the response, you need to specify a scope of at least openid. If you want to return the user’s full profile, you can request openid profile. You can request any of the standard OpenID Connect (OIDC) scopes about users, such as email, or custom claims conforming to a namespaced format. Include offline_access to get a (make sure that the Allow Offline Access field is enabled in the Application Settings).
state
(recommended) An opaque arbitrary alphanumeric string your app adds to the initial request that Auth0 includes when redirecting back to your application. To see how to use this value to prevent cross-site request forgery (CSRF) attacks, see Mitigate CSRF Attacks With State Parameters.
connection
(optional) Forces the user to sign in with a specific connection. For example, you can pass a value of github to send the user directly to GitHub to log in with their GitHub account. When not specified, the user sees the Auth0 Lock screen with all configured connections. You can see a list of your configured connections on the Connections tab of your application.
organization
(optional) ID of the organization to use when authenticating a user. When not provided, if your application is configured to Display Organization Prompt, the user will be able to enter the organization name when authenticating.
invitation
(optional) Ticket ID of the organization invitation. When inviting a member to an Organization, your application should handle invitation acceptance by forwarding the invitation and organization key-value pairs when the user accepts the invitation.
login_hint
(optional) Populates the username/email field for the login or signup page when redirecting to Auth0. Supported by the Universal Login experience.
As an example, your HTML snippet for your authorization URL when adding login to your app might look like:
Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL.
The authorization_code retrieved in the previous step of this tutorial.
client_id
Your application’s Client ID. You can find this value in your Application Settings.
client_secret
Your application’s Client Secret. You can find this value in your Application Settings. To learn more about available application authentication methods, read Application Credentials.
redirect_uri
The valid callback URL set in your Application settings. This must exactly match the redirect_uri passed to the authorization URL in the previous step of this tutorial. Note that this must be URL encoded.
ID tokens contain user information that must be decoded and extracted.Access tokens are used to call the Auth0 Authentication API’s /userinfo endpoint or another API. If you are calling your own API, the first thing your API will need to do is verify the Access token.Refresh tokens are used to obtain a new access token or ID token after the previous one has expired. The refresh_token will only be present in the response if you included the offline_access scope and enabled Allow Offline Access for your API in the Dashboard.
Refresh tokens must be stored securely since they allow a user to remain authenticated essentially forever.
This example shows the most basic request you can make when authorizing the user in step 1. It displays the Auth0 login screen and allows the user to sign in with any of your configured connections:
In addition to the usual user authentication, this example shows how to request additional user details, such as name and picture.To request the user’s name and picture, you need to add the appropriate scopes when authorizing the user:
In addition to the usual user authentication, this example shows how to send users directly to a social identity provider, such as GitHub. You will first need to configure the appropriate connection in Auth0 Dashboard > Authentication > Social and get the connection name from the Settings tab.To send users directly to the GitHub login screen, you need to pass the connection parameter and set its value to the connection name (in this case, github) when authorizing the user in step 1:
Now, when you request tokens, your ID Token will contain a sub claim with the user’s unique ID returned from GitHub. When you decode the ID token, it will look similar to:
