- Auth0 Mobile SDKs and Auth0 Single-Page App SDK: The easiest way to implement the flow, which will do most of the heavy lifting for you. Our Mobile Quickstarts and Single-Page App Quickstarts will walk you through the process.
- Authentication API: If you prefer to build your own solution, keep reading to learn how to call our API directly.
/userinfo endpoint or your own protected APIs. To learn more about ID tokens, read ID Tokens. To learn more about access tokens, read Access Tokens.
Prerequisites
Register your app with Auth0. To learn more, read Register Native Applications or Register Single-Page Web Applications.- Select an Application Type of Native or Single-Page App, depending on your application type.
- Add an Allowed Callback URL of
YOUR_CALLBACK_URL. Your callback URL format will vary depending on your application type and platform. For details about the format for your application type and platform, see our Native/Mobile Quickstarts and Single-Page App Quickstarts. - Make sure your application’s Grant Types include Authorization Code. To learn more, read Update Grant Types.
Create code verifier
Create acode_verifier, which is a cryptographically-random, Base64-encoded key that will eventually be sent to Auth0 to request tokens.
To learn more about the algorithm to create the code_verifier, read section 4.1 Client Creates a Code Verifier of the Proof Key for Code Exchange spec.
Javascript sample
Java sample
Android sample
Swift 5 sample
Objective-C sample
Create code challenge
Generate acode_challenge from the code_verifier that will be sent to Auth0 to request an authorization_code.
To learn more about how the code_challenge is derived from the code_verifier, read section 4.2 Client Creates the Code Challenge of the OAuth Proof Key for Code Exchange spec.
Javascript sample
Java sample
Swift 5 sample
Objective-C sample
Authorize user
Request the user’s authorization and redirect back to your app with anauthorization_code.
Once you’ve created the code_verifier and the code_challenge, you must get the user’s authorization. This is technically the beginning of the , and this step may include one or more of the following processes:
* Authenticating the user;
* Redirecting the user to an to handle authentication;
* Checking for active Single Sign-on (SSO) sessions;
* Obtaining user consent for the requested permission level, unless consent has been previously given.
To authorize the user, your app must send the user to the authorization URL, including the code_challenge you generated in the previous step and the method you used to generate the code_challenge.
Authorization URL example
Parameters
As an example, your HTML snippet for your authorization URL when adding login to your app might look like:
Response
If all goes well, you’ll receive anHTTP 302 response. The authorization code is included at the end of the URL:
Request tokens
Exchange yourauthorization_code and code_verifier for tokens.
Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL sending along the code_verifier.
POST to token URL example
Parameters
Response
If all goes well, you’ll receive an HTTP 200 response with a payload containingaccess_token, refresh_token, id_token, and token_type values:
refresh_token will only be present in the response if you included the offline_access scope and enabled Allow Offline Access for your API in the Dashboard.
Use cases
Basic authentication request
This example shows the most basic request you can make when authorizing the user in step 1. It displays the Auth0 login screen and allows the user to sign in with any of your configured connections: Now, when you request tokens, your ID Token will contain the most basic claims. When you decode the ID Token, it will look similar to:Request user’s name and profile picture
In addition to the usual user authentication, this example shows how to request additional user details, such as name and picture. To request the user’s name and picture, you need to add the appropriate scopes when authorizing the user: Now, when you request tokens, your ID token will contain the requested name and picture claims. When you decode the ID token, it will look similar to:Request user log in with GitHub
In addition to the usual user authentication, this example shows how to send users directly to a social identity provider, such as GitHub. For this example to work, you need to go to Auth0 Dashboard > Authentication > Social and configure the appropriate connection. Get the connection name from the Settings tab. To send users directly to the GitHub login screen, you need to pass theconnection parameter and set its value to the connection name (in this case, github) when authorizing the user:
Now, when you request tokens, your ID token will contain a sub claim with the user’s unique ID returned from GitHub. When you decode the ID token, it will look similar to: