Overview

Authentication Framework > Overview

The Authentication Framework is based upon secure, industry standards.

OAuth and OpenID Connect

The Authentication Framework protects user data using the OAuth 2.0 industry standard. With OAuth, users can delegate scoped access to third parties who wish to act on the user’s behalf. The user’s login credentials are never shared with the third party. Instead, authorization is provided to third party apps via an access token.

The Authentication Framework provides user identity information using the OpenID Connect (OIDC) industry standard. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. With OpenID Connect, third party apps are provided authenticated information about the user in the form of an identity token.

Proof Key for Code Exchange (PKCE)

Now that the OAuth 2.1 draft specification has added requirements for PKCE, our v0 endpoints now also require it. More details about PKCE can be found here: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce.

We also have a migration guide for transitioning your existing applications.

External resources

If you want to learn more about OAuth 2.0 and OpenID Connect, these external resources may be useful:

Guide: An Illustrated Guide to OAuth and OpenID Connect
Video: OAuth 2.0 and OpenID Connect (in plain English)
Article: OpenID Connect explained
Spec: OpenID Connect Core 1.0 incorporating errata set 1

Have a Question?

Have a how-to question? Seeing a weird error? Get help on StackOverflow.

Register for the Digital Toolkit Meetup where we answer technical Q&A from the audience.

Last updated Thu Jul 20 2023