Okta
Octa
Introduction
Auth0 supports various authentication authorization flows such as "Authorization Code Flow", "Authorization Code Flow with PKCE (Proof Key for Code Exchange)" and "Implicit Flow" defined in OAuth2.0 (RFC6749). By using Auth0 and the SDK provided by Auth0, you can easily implement each flow.
This page uses Authentication Code Flow (RFC6749 4.1) as an example to confirm the sequence when using Auth0. For confirmation, we will introduce the necessary Auth0 settings and the specific procedures for obtaining an access token/ID token.
premise
The information on functions and settings described on this page is current as of January 2023.
Authorization Code Flow in Auth0
The sequence of Authorization Code Flow in Auth0 is as follows.
- User: clicks the login link on the app
- App: Redirect user to Auth0 /authorize (authorization endpoint)
- Auth0: Redirect to login screen and access permission screen
- User: perform authentication and access permission consent operation
- Auth0: Redirect to application with authorization code
- App: Send authorization code to Auth0 /oauth/token (token acquisition endpoint) along with app client id and client secret
- Auth0: Validate authorization code, app client ID and client secret
- Auth0: Respond with ID token and access token
- App: Request information from the API endpoint of the resource server using the access token
- API: Validate access token, respond with requested information
preset
To confirm the above sequence, the necessary pre-settings on the Auth0 side are as follows.
*In this procedure, "https://example.com" is specified as a resource server, but it does not actually provide resources.
- Application settings
- On the Auth0 admin screen, click Applications > Applications
- Create a new Application
- Select Single Page Application
- Register resource server URLs as Allowed Callback URLs
- After creation, check the issued Client ID and Client Secret values
- API settings
- On the Auth0 admin screen, click Applications > APIs
- New API
- Register resource server URL as Identifier
- Select Access Token Profile
Confirmation procedure overview
Check the Authorization Code Flow sequence in Auth0. The overview of the confirmation procedure is as follows.
- Request an authorization code from the Auth0 /authorize endpoint
- Authentication screen display by Auth0: Perform user authentication
- Transition to the redirect destination specified in 1.: Check the authorization code from the URL
- Access Auth0 /oauth/token endpoint and get access token and ID token
- Check the acquired access token and ID token
- Make a request to the API of the resource server using the obtained access token
Confirmation procedure
1. Request authorization code from Auth0 /authorize endpoint
Access the following URL with a web browser
https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/authorize?audience=https://example.com&response_type=code&scope=openid profile email&client_id=kqapeCKisQFv3ensODztuWSvX4dYzDzz&redirect_uri=https://example.com
supplement
- <YOUR_AUTH0_TENANT_NAME>: Auth0 tenant name
- <REGION_DOMAIN>: Auth0 tenant region name
- audience=https://example.com: Identifier of the API setting in the pre-configuration
- response_type=code&scope=openid: use Authorization Code Flow + get ID token
- client_id: Client ID of Application settings in the preset
- redirect_uri: Redirect destination URL after authentication is completed
2. Authentication screen display by Auth0: Perform user authentication
3. Transition to the redirect destination specified in 1.: Check the authorization code from the URL
https://example.com/?code=LfsgBMfG4Gs_TxysEr_6yXREFb2W10a0UrL9VIwEzZpjz
4. Access Auth0 /oauth/token endpoint and get access token and ID token
> curl -X POST --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data 'grant_type=authorization_code&client_id=kqapeCKisQFv3ensODztuWSvX4dYzDzz&client_secret=gp2_bmVL-1qgHiZvh5Cv2GwxkLBard8fZD8UBBUYM5AQ5wD-_pfcuSyokX133GSo&code=LfsgBMfG4Gs_TxysEr_6yXREFb2W10a0UrL9VIwEzZpjz&redirect_uri=https://example.com'
supplement
- grant_type=authorization_code: use Authorization Code Flow
- client_id: Client ID of Application settings in the preset
- client_secret: Client Secret of the Application setting in the pre-configuration
- code: Authorization code obtained in 3.
Acquisition result
{
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp...(略)...VCIsImtpYXNwzy896vw",
"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVC...(略)...DMWec6Qrv7nR4R8Aw",
"scope":"openid profile email",
"expires_in":86400,
"token_type":"Bearer“
}
5. Confirm the acquired access token and ID token
Decode access token and ID token at jwt.io
Decoded access token (Auth0)
{
"iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
"sub": "auth0|63914fc35f596748bf001439",
"aud": [
"https://example.com",
"https://<your_auth0_tenant_name>.<region_domain>.auth0.com/userinfo"
],
"iat": 1672296731,
"exp": 1672383131,
"azp": "kqapeCKisQFv3ensODztuWSvX4dYzDzz",
"scope": "openid profile email"
}
Decoded access token (RFC 9068)
{
"iss": "https://hoshi-demo-1.cic-demo-platform.auth0app.com/",
"sub": "auth0|6646b32e62b9bc0656d1d857",
"aud": [
"https://example.com",
https://hoshi-demo-1.cic-demo-platform.auth0app.com/userinfo
],
"iat": 1720158513,
"exp": 1720244913,
"scope": "openid profile email",
"jti": "6Ei2oYx91sBRfvxzPQyi3Q",
"client_id": "TEvXQeaLxkxuDFxv7dOjO3RHW8VT05nO“
}
supplement
- As a resource server (aud claim), in addition to the target specified in the audience parameter when requesting an authorization code, the Auth0 /userinfo endpoint (login user information acquisition) is automatically added.
Multiple audience - Auth0 docs - The access token expiration period (exp claim) is 86,400 seconds (24 hours) by default. The expiration date can be changed in the API settings.
Update Access Token Lifetime - Auth0 docs
ID token decoding result
{
"nickname": "xxxxxxxx",
"name": "xxxxxxx@xxxxxxxx.co.jp",
"picture": "https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
"updated_at": "2022-12-27T10:50:42.856Z",
"email": "xxxxxxx@xxxxxxxx.co.jp",
"email_verified": true,
"iss": "https://<your_auth0_tenant_name>.<region_domain>.auth0.com/",
"sub": "auth0|63914fc35f596748bf001439",
"aud": "kqapeCKisQFv3ensODztuWSvX4dYzDzz",
"iat": 1672296731,
"exp": 1672332731,
"sid": "SqBjbek-b0pWC5zmampoHm4M3Rnl_pVL"
}
supplement
- The ID token expiration period (exp claim) is 36,000 seconds (10 hours) by default. The expiration date can be changed in Application settings.
Update ID Token Lifetime - Auth0 docs
6. Make a request to the resource server API using the obtained access token
Request login user information from Auth0 /userinfo endpoint
> curl --request GET --url 'https://<YOUR_AUTH0_TENANT_NAME>.<REGION_DOMAIN>.auth0.com/userinfo' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6Ikp... (snip)...VCIsImtpYXNwzy896vw' --header 'Content-Type: application/json'
Acquisition result
{
"sub":"auth0|63914fc35f596748bf001439",
"nickname":"xxxxxxxx",
"name":"xxxxxxx@xxxxxxxx.co.jp",
"picture":" https://s.gravatar.com/avatar/24b5f30a0fe65625e5afb...(略)...%2Fim.png",
"updated_at":"2022-12-27T10:50:42.856Z",
"email":"xxxxxxx@xxxxxxxx.co.jp",
"email_verified":true
}
in conclusion
We introduced the movement of Authorization Code Flow in Auth0, from requesting an authorization code to issuing an access token/ID token. We hope this will help you understand how Authentication Code Flow works and how Auth0 implements it.
reference
Inquiry/Document request
In charge of Macnica Okta Co., Ltd.
- TEL:045-476-2010
- E-mail:okta@macnica.co.jp
Weekdays: 9:00-17:00