Skip to main content
The Authorization Code Flow is used by server-side applications that are capable of securely storing secrets, or by native applications through Authorization Code Flow with PKCE. The OIDC-conformant pipeline affects the Authorization Code Flow in the following areas:
  • Authentication request
  • Authentication response
  • Code exchange request
  • Code exchange response
  • structure
  • structure

Authentication request

Legacy

GET /authorize?
    response_type=code
    &scope=openid email favorite_color offline_access
    &client_id=123
    &state=af0ifjsldkj
    &redirect_uri=https://app.example.com/callback
    &device=my-device-name
The device parameter is only needed if requesting a by passing the offline_access scope. To learn more, read, Refresh Tokens.

OIDC-conformant

GET /authorize?
    response_type=code
    &scope=openid email offline_access
    &client_id=123
    &state=af0ifjsldkj
    &redirect_uri=https://app.example.com/callback
    &audience=https://api.example.com
  • favorite_color is no longer a valid scope value.
  • The device parameter is removed.
  • The audience parameter is optional.

Authentication response

The response from Auth0 is identical in both pipelines: 
HTTP/1.1 302 Found
Location: https://app.example.com/callback?
    code=SplxlOBeZQQYbYS6WxSbIA
    &state=af0ifjsldkj

Code exchange request - Authorization Code flow

An authorization code can be exchanged in the same way in both pipelines: 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data 'client_id={yourClientId}' \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data code=YOUR_AUTHORIZATION_CODE \
  --data 'redirect_uri={https://yourApp/callback}'

Code exchange request - Authorization Code flow with PKCE

An authorization code can be exchanged in the same way in both pipelines: 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=authorization_code \
  --data 'client_id={yourClientId}' \
  --data code_verifier=YOUR_GENERATED_CODE_VERIFIER \
  --data code=YOUR_AUTHORIZATION_CODE \
  --data 'redirect_uri={https://yourApp/callback}'

Code exchange response

Legacy

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
    "access_token": "SlAV32hkKG",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJ..."
}
  • The returned Access Token is only valid for calling the /userinfo endpoint.
  • A refresh token will be returned only if a device parameter was passed and the offline_access scope was requested.

OIDC-conformant

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
    "access_token": "eyJ...",
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZp8",
    "expires_in": 3600,
    "id_token": "eyJ..."
}
  • The returned access token is valid for optionally calling the API specified in the audience parameter and the /userinfo endpoint (provided that the API uses RS256 as the signing algorithm and openid is used as a scope parameter). If you are not implementing your own (API), then you can use https://{$account.namespace}/userinfo as the audience parameter, which will return an opaque Access Token.
  • A refresh token will be returned only if the offline_access scope was granted.

ID token structure

Legacy

JSON
{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "favorite_color": "blue"
}

OIDC-conformant

JSON
{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": "123",
    "exp": 1482809609,
    "iat": 1482773609,
    "email": "alice@example.com",
    "email_verified": true,
    "https://app.example.com/favorite_color": "blue"
}
The favorite_color claim must be added through an Auth0 Action. To learn more, read Create Custom Claims.

Access token structure (optional)

Legacy

HTTP
SlAV32hkKG
The returned access token is opaque and only valid for calling the /userinfo endpoint.

OIDC-conformant

JSON
{
    "sub": "auth0|alice",
    "iss": "https://{yourDomain}/",
    "aud": [
        "https://api.example.com",
        "https://{yourDomain}/userinfo"
    ],
    "azp": "123",
    "exp": 1482816809,
    "iat": 1482809609,
    "scope": "openid email"
}
The returned access token is valid for optionally calling the API specified in the audience parameter and the /userinfo endpoint (provided that the API uses RS256 as the and openid is used as a scope parameter). If you are not implementing your own resource server (API), then you can use https://{$account.namespace}/userinfo as the audience parameter, which will return an opaque access token.

Learn more

I