Application Grant Types
Application grant types (or flows) are methods through which applications can gain Access Tokens and by which you grant limited access to your resources to another entity without exposing credentials. The OAuth 2.0 protocol supports several types of grants, which allow different types of access.
Based on the needs of your application, some grant types are more appropriate than others. Auth0 provides many different authentication and authorization flows and allows you to indicate which grant types are appropriate based on the grant_types
property of your application.
For example, if you want to secure a mobile application, the Authorization Code Flow with Proof Key for Code Exchange (PKCE) is the most appropriate.
Alternatively, if you want to secure a client-side application, such as a single-page application (SPA), and aren't passing tokens between servers, the Implicit Flow with Form Post is the most appropriate.
Various grant types are valid when registering applications. These can be divided into the following categories:
Specification-conforming grants: Grants defined by and conforming to external specifications, such as OpenID Connect (OIDC).
Auth0 extension grants: Auth0-specific grants that conform to the OAuth extension mechanism to support additional clients or to provide a bridge between OAuth and other trust frameworks.
Auth0 legacy grants: Traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.
Available grant types
Specification-conforming grants
Grant Type | Description |
---|---|
implicit |
Implicit Grant |
authorization_code |
Authorization Code Grant |
client_credentials |
Client Credentials Grant |
password |
Resource Owner Password Grant |
refresh_token |
Use Refresh Tokens |
urn:ietf:params:oauth:grant-type:device_code |
Device Authorization Grant |
Auth0 extension grants
Grant Type | Description |
---|---|
http://auth0.com/oauth/grant-type/password-realm |
Use an extension grant similar to the Resource Owner Password Grant that includes the ability to indicate a specific realm |
http://auth0.com/oauth/grant-type/mfa-oob |
Multi-factor Authentication OOB Grant Request |
http://auth0.com/oauth/grant-type/mfa-otp |
Multi-factor Authentication OTP Grant Request |
http://auth0.com/oauth/grant-type/mfa-recovery-code |
Multi-factor Authentication Recovery Grant Request |
http://auth0.com/oauth/grant-type/passwordless/otp |
Embedded Passwordless Login Grant Request |
Auth0 legacy grants
Legacy grants include:
http://auth0.com/oauth/legacy/grant-type/ro
http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer
http://auth0.com/oauth/legacy/grant-type/delegation/refresh_token
http://auth0.com/oauth/legacy/grant-type/delegation/id_token
http://auth0.com/oauth/legacy/grant-type/access_token
Legacy grant types are traditional grant types supported for legacy customers only. If you are a legacy customer, we highly recommend moving to a more secure alternative.
As of 08 June 2017, all applications were given a grant_types
property that must be populated. To avoid changes in functionality for Auth0 customers at that time, we populated the grant_types
property for all existing applications with all Auth0 legacy, Auth0 extension, and specification-conforming grant types.
At this time, new Auth0 customers were no longer able to add legacy grant types to their applications. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. If you were a customer prior to 8 June 2017, you can enable a legacy grant type using either the Auth0 Dashboard or the Auth0 Management API.
If you're currently using a legacy grant type, refer to the chart below to see which of the secure alternatives you should use instead. For example, if you're implementing Passwordless Authentication,
use Universal Login instead of the oauth/ro
endpoint.
Grant type mapping
When registered, applications have access to different grant types based on their application type, specifically whether the application is confidential or public. Additionally, trusted first-party applications have access to additional grant types.
Public applications
When a Native Application or Single-Page Application (SPA) is registered in the Dashboard, it's automatically flagged as a public application, which is indicated by the token_endpoint_auth_method
flag being set to none
. By default, Auth0 creates public applications with the following grant_types
enabled:
implicit
authorization_code
refresh_token
Native Apps can also use the device_code
grant type.
Public applications cannot use the client_credentials
grant type. To use this grant type, you must configure the application to be confidential rather than public. Use the Auth0 Management API Update a client endpoint to set the token_endpoint_auth_method
to client_secret_post,
client_secret_basic
, or private_key_jwt
. To learn more, read Application Credentials.
Confidential applications
When a Regular Web Application or Machine-to-Machine (M2M) Application is registered in the Auth0 Dashboard, it's automatically flagged as a confidential application, which is indicated by the token_endpoint_auth_method
flag being set to anything except none
. By default, Auth0 creates confidential applications with the following grant_types
enabled:
implicit
authorization_code
refresh_token
client_credentials
Trusted first-party applications
Trusted first-party applications have the same grant_types
enabled as confidential applications, along with the following:
password
http://auth0.com/oauth/grant-type/password-realm
http://auth0.com/oauth/grant-type/mfa-oob
http://auth0.com/oauth/grant-type/mfa-otp
http://auth0.com/oauth/grant-type/mfa-recovery-code
If you are using the Dashboard to enable or disable these grant types, be aware that all the Password and MFA grant types are enabled when you add the Password
or MFA
grant type to your application. You cannot select them individually.