Authentication and Authorization Flows

Authentication and Authorization Flows

Login 3.0 uses the OpenID Connect (OIDC) Protocol and OAuth 2.0 Authorization Framework to authenticate users and obtain their authorization to access protected resources. With Login 3.0, you can easily support different flows in your applications and APIs without worrying about OIDC/OAuth 2.0 specifications or the technical complexities of authentication and authorization.

We support scenarios for server-side, mobile, desktop, client-side, machine-to-machine, and device applications.

If you're not sure which flow to use, we can help you decide. To learn more, read Which OAuth 2.0 Flow Should I Use?

During the execution of several flows, your application must also authenticate to the Authorization Server. To learn more about application authentication, read Application Credentials.

Authorization Code Flow

Because regular web apps are server-side apps where the source code is not publicly exposed, they can use the Authorization Code Flow, which exchanges an Authorization Code for a token.

  • Authorization Code Flow

  • Add Login Using the Authorization Code Flow

  • Call API Using the Authorization Code Flow

Authorization Code Flow with Proof Key for Code Exchange (PKCE)

During authentication, mobile and native applications can use the Authorization Code Flow, but they require additional security. Additionally, single-page apps have special challenges. To mitigate these, OAuth 2.0 provides a version of the Authorization Code Flow which makes use of a Proof Key for Code Exchange (PKCE).

  • Authorization Code Flow with Proof Key for Code Exchange (PKCE)

  • Add Login Using the Authorization Code Flow with PKCE

  • Call API Using the Authorization Code Flow with PKCE

Implicit Flow with Form Post

As an alternative to the Authorization Code Flow, OAuth 2.0 provides the Implicit Flow, which is intended for Public Clients or applications that are unable to securely store Client Secrets. While this is no longer considered a best practice for requesting Access Tokens, when used with Form Post response mode, it offers a streamlined workflow if the application needs only an ID token to perform user authentication.

  • Implicit Flow with Form Post

  • Add Login Using the Implicit Flow with Form Post

  • Authenticate SPAs with Cookies

Hybrid Flow

Applications that are able to securely store Client Secrets may benefit from the use of the Hybrid Flow, which combines features of the Authorization Code Flow and Implicit Flow with Form Post. This allows your application to have immediate access to an ID token while still providing for secure and safe retrieval of access and refresh tokens. This can be useful in situations where your application needs to immediately access information about the user but must perform some processing before gaining access to protected resources for an extended period.

  • Hybrid Flow

  • Call API Using the Hybrid Flow

Client Credentials Flow

With machine-to-machine (M2M) applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user. For this scenario, typical authentication schemes like identifier + password or social logins don’t make sense. Instead, M2M apps use the Client Credentials Flow (defined in OAuth 2.0 RFC 6749, section 4.4).

  • Client Credentials Flow

  • Call API Using the Client Credentials Flow

Device Authorization Flow (In-Development)

With input-constrained devices that connect to the internet, rather than authenticate the user directly, the device asks the user to go to a link on their computer or smartphone and authorize the device. This avoids a poor user experience for devices that do not have an easy way to enter text. To do this, device apps use the Device Authorization Flow (drafted in OAuth 2.0). For use with mobile/native applications.

  • Device Authorization Flow

  • Call API Using the Device Authorization Flow

PreviousPlan and DesignNextWhich OAuth 2.0 Flow Should I Use?

Last updated

Was this helpful?