This tutorial will help you call your own API using the Hybrid Flow. If you want to learn how the flow works and why you should use it, see Hybrid Flow.
- Authentication API: If you prefer to build your own solution, keep reading to learn how to call our API directly.
Prerequisites
Before beginning this tutorial:-
Register your Application with Auth0.
- Select the appropriate Application Type.
- Add an Allowed Callback URL of
{https://yourApp/callback}. - Make sure your Application’s Grant Types include Implicit and Authorization Code. To learn how, read Update Grant Types.
- If you want your Application to be able to use Refresh Tokens, make sure the Application’s Grant Types include Refresh Token. To learn how, read Update Grant Types. To learn more about Refresh Tokens, read Refresh Tokens.
-
Register your API with Auth0
- If you want your API to receive Refresh Tokens to allow it to obtain new tokens when the previous ones expire, enable Allow Offline Access.
Steps
- Authorize user: Request the user’s authorization and redirect back to your app with an authorization code.
- Request tokens: Exchange your authorization code for tokens.
- Call API: Use the retrieved Access Token to call your API.
- Refresh tokens: Use a Refresh Token to request new tokens when the existing ones expire.
Authorize user
This step may include one or more of the following processes:- Authenticating the user
- Redirecting the user to an to handle authentication
- Checking for active (SSO) sessions
- Obtaining user consent for the requested permission level, unless consent has been previously given.
Example authorization URL
Parameters
Note that for authorizing a user when calling a custom API, you:- must include an parameter
- can include additional scopes supported by the target API
As an example, your HTML snippet for your authorization URL when adding login to your app might look like:
Response
If all goes well, you’ll receive anHTTP 302 response. The requested credentials are encoded in the body:
response_type.
Auth0 will also return any state value you included in your call to the authorization URL.
When you decode and parse your , you will notice an additional claim,
c_hash, which contains a hash of the code. This claim is mandatory when an ID token is issued at the same time as a code, and you should validate it:
- Using the hash algorithm specified in the
algclaim in the ID Token header, hash the octets of the ASCII representation of thecode. - Base64url-encode the left-most half of the hash.
- Check that the result matches the
c_hashvalue.
Request tokens
Now that you have an Authorization Code, you must exchange it for tokens. Using the extracted Authorization Code (code) from the previous step, you will need to POST to the token URL.
The you receive in this step is the one you should use to call your API. Make sure you keep it separate from the Access Token you received in the previous step of this tutorial.
Example POST to token URL
Parameters
Response
If all goes well, you’ll receive anHTTP 200 response with a payload containing access_token, refresh_token, id_token, and token_type values:
refresh_token will only be present in the response if you included the offline_access scope and enabled Allow Offline Access for your API in the Dashboard.
Call API
To call your API from a regular web application (or similar cases in which the application credentials can be safely stored), the application must pass the retrieved Access Token as a Bearer token in the Authorization header of your HTTP request.Refresh tokens
You have already received a refresh token if you’ve been following this tutorial and completed the following:- configured your API to allow offline access
- included the
offline_accessscope when you initiated the authentication request through the authorize endpoint.
POST request to the /oauth/token endpoint in the Authentication API, using grant_type=refresh_token.
Example POST to token URL
Parameters
Response
If all goes well, you’ll receive anHTTP 200 response with a payload containing a new access_token, its lifetime in seconds (expires_in), granted scope values, and token_type. If the scope of the initial token included openid, then the response will also include a new id_token: