The Authentication Framework is based upon secure, industry standards.
OAuth and OpenID Connect
The Authentication Framework protects user data using the OAuth 2.0 industry standard. With OAuth, users can delegate scoped access to third parties who wish to act on the user’s behalf. The user’s login credentials are never shared with the third party. Instead, authorization is provided to third party apps via an access token.
The Authentication Framework provides user identity information using the OpenID Connect (OIDC) industry standard. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. With OpenID Connect, third party apps are provided authenticated information about the user in the form of an identity token.
Proof Key for Code Exchange (PKCE)
Now that the OAuth 2.1 draft specification has added requirements for PKCE, our v0 endpoints now also require it. More details about PKCE can be found here: https://auth0.com/docs/flows/authorization-code-flow-with-proof-key-for-code-exchange-pkce.
We also have a migration guide for transitioning your existing applications.
If you want to learn more about OAuth 2.0 and OpenID Connect, these external resources may be useful:
- Guide: An Illustrated Guide to OAuth and OpenID Connect
- Video: OAuth 2.0 and OpenID Connect (in plain English)
- Article: OpenID Connect explained
- Spec: OpenID Connect Core 1.0 incorporating errata set 1