Application Grant Types
Application grant types (or flows) are methods through which applications can gain Access Tokens and by which you grant limited access to your resources to another entity without exposing credentials. The OAuth 2.0 protocol supports several types of grants, which allow different types of access.
Based on the needs of your application, some grant types are more appropriate than others. Auth0 provides many different authentication and authorization flows and allows you to indicate which grant types are appropriate based on the grant_types
property of your Auth0-registered Application.
For example, let's say you are securing a mobile app. In this case, you'd use the Authorization Code Flow with Proof Key for Code Exchange (PKCE).
Alternatively, if you were securing a client-side app (such as a single-page app) and weren't passing tokens between servers, you might use the Implicit Flow with Form Post.
Various grant types are valid when registering Auth0 Applications. These can be divided into the following categories:
Spec-conforming grants: Grants defined by and conforming to external specifications (such as OpenID Connect (OIDC)).
Auth0 extension grants: Auth0-specific grants that conform to the OAuth extension mechanism to support additional clients or to provide a bridge between OAuth and other trust frameworks.
Auth0 legacy grants: Traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.
Available grant types
Spec-conforming grants
Grant Type | Description |
---|---|
implicit |
Implicit Grant |
authorization_code |
Authorization Code Grant |
client_credentials |
Client Credentials Grant |
password |
Resource Owner Password Grant |
refresh_token |
Use Refresh Tokens |
urn:ietf:params:oauth:grant-type:device_code |
Device Authorization Grant |
Auth0 extension grants
Grant Type | Description |
---|---|
http://auth0.com/oauth/grant-type/password-realm |
Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm |
http://auth0.com/oauth/grant-type/mfa-oob |
Multi-factor Authentication OOB Grant Request |
http://auth0.com/oauth/grant-type/mfa-otp |
Multi-factor Authentication OTP Grant Request |
http://auth0.com/oauth/grant-type/mfa-recovery-code |
Multi-factor Authentication Recovery Grant Request |
http://auth0.com/oauth/grant-type/passwordless/otp |
Embedded Passwordless Login Grant Request |
Auth0 legacy grants
Legacy grants include:
http://auth0.com/oauth/legacy/grant-type/ro
http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer
http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token
http://auth0.com/oauth/legacy/grant-type/delegation/id_token
http://auth0.com/oauth/legacy/grant-type/access_token
Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.
As of 08 June 2017, all Auth0 Applications were given a grant_types
property that must be populated. To avoid changes in functionality for Auth0 customers at that time, we populated the grant_types
property for all existing Applications with all Auth0 legacy, Auth0 extension, and specification-conforming grant types.
At this time, new Auth0 customers were no longer able to add legacy grant types to their applications. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. If you were a customer prior to 8 June 2017, you can enable a legacy grant type using either the Dashboard or the Management API.
If you're currently using a legacy grant type, refer to the chart below to see which of the secure alternatives you should use instead. If you are implementing Passwordless Authentication should use Universal Login instead of the oauth/ro
endpoint.
Grant type mapping
When registered, Auth0 Applications have access to different grant types based on application type. The biggest deciding factor is whether the application is confidential or public. Additionally, trusted first-party applications have access to additional grant types.
Public applications
When a Native App or Single-Page App is registered in the Dashboard, it is automatically flagged as a public application, which is indicated by a token_endpoint_auth_method
flag set to none
. By default, Auth0 creates public applications with the following grant_types
enabled:
implicit
authorization_code
refresh_token
Native Apps can also use the device_code
grant type.
Public applications cannot use the client_credentials
grant type. To use this grant type, you must indicate that the application is confidential rather than public. Use the Management API to set the token_endpoint_auth_method
to client_secret_post
or client_secret_basic
.
Confidential applications
When a Regular Web App or Machine-to-Machine (M2M) App is registered in the Dashboard, it is automatically flagged as a confidential application, which is indicated by a token_endpoint_auth_method
flag set to anything except none
. By default, Auth0 creates confidential applications with the following grant_types
enabled:
implicit
authorization_code
refresh_token
client_credentials
Trusted first-party applications
Trusted first-party applications have the same grant_types
enabled as confidential applications, plus the following:
password
http://auth0.com/oauth/grant-type/password-realm
http://auth0.com/oauth/grant-type/mfa-oob
http://auth0.com/oauth/grant-type/mfa-otp
http://auth0.com/oauth/grant-type/mfa-recovery-code
If you are using the Dashboard to enable or disable these grant types, be aware that all the Password and MFA grant types are enabled when you add the Password
or MFA
grant type to your Application. You cannot select them individually.