Application Grant Types

Application grant types (or flows) are methods through which applications can gain Access Tokens and by which you grant limited access to your resources to another entity without exposing credentials. The OAuth 2.0 protocol supports several types of grants, which allow different types of access.

Based on the needs of your application, some grant types are more appropriate than others. Auth0 provides many different authentication and authorization flows and allows you to indicate which grant types are appropriate based on the grant_types property of your application.

For example, if you want to secure a mobile application, the Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the most appropriate.

Alternatively, if you want to secure a client-side application, such as a single-page application (SPA), and aren't passing tokens between servers, the Implicit Flow with Form Post is the most appropriate.

Various grant types are valid when registering applications. These can be divided into the following categories:

  • Specification-conforming grants: Grants defined by and conforming to external specifications, such as OpenID Connect (OIDC).

  • Auth0 extension grants: Auth0-specific grants that conform to the OAuth extension mechanism to support additional clients or to provide a bridge between OAuth and other trust frameworks.

  • Auth0 legacy grants: Traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

Available grant types

Specification-conforming grants

Grant Type Description
implicit Implicit Grant
authorization_code Authorization Code Grant
client_credentials Client Credentials Grant
password Resource Owner Password Grant
refresh_token Use Refresh Tokens
urn:ietf:params:oauth:grant-type:device_code Device Authorization Grant

Auth0 extension grants

Grant Type Description
http://auth0.com/oauth/grant-type/password-realm Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm
http://auth0.com/oauth/grant-type/mfa-oob Multi-factor Authentication OOB Grant Request
http://auth0.com/oauth/grant-type/mfa-otp Multi-factor Authentication OTP Grant Request
http://auth0.com/oauth/grant-type/mfa-recovery-code Multi-factor Authentication Recovery Grant Request
http://auth0.com/oauth/grant-type/passwordless/otp Embedded Passwordless Login Grant Request

Auth0 legacy grants

Legacy grants include:

  • http://auth0.com/oauth/legacy/grant-type/ro

  • http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer

  • http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token

  • http://auth0.com/oauth/legacy/grant-type/delegation/id_token

  • http://auth0.com/oauth/legacy/grant-type/access_token

Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.

As of 08 June 2017, all applications were given a grant_types property that must be populated. To avoid changes in functionality for Auth0 customers at that time, we populated the grant_types property for all existing applications with all Auth0 legacy, Auth0 extension, and specification-conforming grant types.

At this time, new Auth0 customers were no longer able to add legacy grant types to their applications. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. If you were a customer prior to 8 June 2017, you can enable a legacy grant type using either the Auth0 Dashboard or the Auth0 Management API.

If you're currently using a legacy grant type, refer to the chart below to see which of the secure alternatives you should use instead. For example, if you're implementing Passwordless Authentication,

use Universal Login instead of the oauth/ro endpoint.

Grant type mapping

When registered, applications have access to different grant types based on their application type, specifically whether the application is confidential or public. Additionally, trusted first-party applications have access to additional grant types.

Public applications

When a Native Application or Single-Page Application (SPA) is registered in the Dashboard, it's automatically flagged as a public application, which is indicated by the token_endpoint_auth_method flag being set to none. By default, Auth0 creates public applications with the following grant_types enabled:

  • implicit

  • authorization_code

  • refresh_token

Native Apps can also use the device_code grant type.

Public applications cannot use the client_credentials grant type. To use this grant type, you must configure the application to be confidential rather than public. Use the Auth0 Management API Update a client endpoint to set the token_endpoint_auth_method to client_secret_post, client_secret_basic, or private_key_jwt. To learn more, read Application Credentials.

Confidential applications

When a Regular Web Application or Machine-to-Machine (M2M) Application is registered in the Auth0 Dashboard, it's automatically flagged as a confidential application, which is indicated by the token_endpoint_auth_method flag being set to anything except none. By default, Auth0 creates confidential applications with the following grant_types enabled:

  • implicit

  • authorization_code

  • refresh_token

  • client_credentials

Trusted first-party applications

Trusted first-party applications have the same grant_types enabled as confidential applications, along with the following:

  • password

  • http://auth0.com/oauth/grant-type/password-realm

  • http://auth0.com/oauth/grant-type/mfa-oob

  • http://auth0.com/oauth/grant-type/mfa-otp

  • http://auth0.com/oauth/grant-type/mfa-recovery-code

If you are using the Dashboard to enable or disable these grant types, be aware that all the Password and MFA grant types are enabled when you add the Password or MFA grant type to your application. You cannot select them individually.

Learn more