OAuth Interaction Patterns

Code Flow

User selects Login within application.
Auth0's SDK redirects user to Auth0 Authorization Server (/authorizeendpoint).
Auth0 Authorization Server redirects user to login and authorization prompt.
User authenticates using one of the configured login options, and may see a consent prompt listing the permissions Auth0 will give to the application.
Auth0 Authorization Server redirects user back to application with single-use authorization code.
Auth0's SDK sends authorization code, application's client ID, and application's credentials, such as client secret or Private Key JWT, to Auth0 Authorization Server (/oauth/tokenendpoint).
Auth0 Authorization Server verifies authorization code, application's client ID, and application's credentials.
Auth0 Authorization Server responds with an ID token and access token (and optionally, a refresh token).
Application can use the access token to call an API to access information about the user.
API responds with requested data.

The refresh token is used to obtain more, i.e., extended, access because access tokens are usually short-lived (~300 secs).
To avoid repeating the whole process every time the access token expires, a request to /token containing the refresh token is sent and a new access token is obtained.
By design, refresh tokens are long-lived, but they can also expire. Additionally, they are single-use only. Every time a refresh token is used to request access tokens, a new refresh token is issued and the previous token is invalidated.

The Client Credentials Flow involves an application exchanging its application credentials, such as client ID and client secret, for an access token.
This flow is best suited for Machine-to-Machine (M2M) applications, such as CLIs, daemons, or backend services, because the system must authenticate and authorize the application instead of a user.
They don't include refresh tokens, are they are not needed; they can directly get another access token.

Last updated 1 year ago