- Regular Web App Quickstarts: The easiest way to implement the flow.
- Authentication API: If you prefer to build your own solution, keep reading to learn how to call our API directly.
/userinfo endpoint or your own protected APIs. To learn more about ID tokens, read ID Tokens. To learn more about access tokens, read Access Tokens.
You will request the user’s authorization and redirect back to your app with an authorization_code. Then you will exchange the code for tokens.
Prerequisites
Register your app with Auth0. To learn more, read Register Regular Web Applications.- Select Regular Web App as the Application Type.
- Add an Allowed Callback URL of
{https://yourApp/callback}. - Make sure your application’s Grant Types include Authorization Code. To learn more, read Update Grant Types.
Authorize user
To begin the flow, you’ll need to get the user’s authorization. This step may include one or more of the following processes:- Authenticating the user;
- Redirecting the user to an to handle authentication;
- Obtaining user consent for the requested permission level, unless consent has been previously given.
Authorization URL example
Parameters
As an example, your HTML snippet for your authorization URL when adding login to your app might look like:
Response
If all goes well, you’ll receive anHTTP 302 response. The authorization code is included at the end of the URL:
Request tokens
Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL.
POST to token URL example
Parameters
Response
If all goes well, you’ll receive an HTTP 200 response with a payload containingaccess_token, refresh_token, id_token, and token_type values:
refresh_token will only be present in the response if you included the offline_access scope and enabled Allow Offline Access for your API in the Dashboard.
Use cases
Basic authentication request
This example shows the most basic request you can make when authorizing the user in step 1. It displays the Auth0 login screen and allows the user to sign in with any of your configured connections: Now, when you request tokens, your ID Token will contain the most basic claims. When you decode the ID Token, it will look similar to:Request user’s name and profile picture
In addition to the usual user authentication, this example shows how to request additional user details, such as name and picture. To request the user’s name and picture, you need to add the appropriate scopes when authorizing the user: Now, when you request tokens, your ID token will contain the requested name and picture claims. When you decode the ID token, it will look similar to:Request user log in with GitHub
In addition to the usual user authentication, this example shows how to send users directly to a social identity provider, such as GitHub. You will first need to configure the appropriate connection in Auth0 Dashboard > Authentication > Social and get the connection name from the Settings tab. To send users directly to the GitHub login screen, you need to pass theconnection parameter and set its value to the connection name (in this case, github) when authorizing the user in step 1:
Now, when you request tokens, your ID Token will contain a sub claim with the user’s unique ID returned from GitHub. When you decode the ID token, it will look similar to: