Class OAuth

constructor

• new OAuth(options: AuthenticationClientOptions): OAuth

  Parameters

  • options: AuthenticationClientOptions

  Returns OAuth

authorizationCodeGrant

• authorizationCodeGrant(
      bodyParameters: AuthorizationCodeGrantRequest,
      options?: AuthorizationCodeGrantOptions,
  ): Promise<JSONApiResponse<TokenSet>>

  This is the flow that regular web apps use to access an API.

  Use this endpoint to exchange an Authorization Code for a Token.

  See: https://auth0.com/docs/api/authentication#authorization-code-flow44

  Parameters

  • bodyParameters: AuthorizationCodeGrantRequest
  • options: AuthorizationCodeGrantOptions = {}

  Returns Promise<JSONApiResponse<TokenSet>>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId',
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.authorizationCodeGrant({ code: 'mycode' });
  Copy

authorizationCodeGrantWithPKCE

• authorizationCodeGrantWithPKCE(
      bodyParameters: AuthorizationCodeGrantWithPKCERequest,
      options?: AuthorizationCodeGrantOptions,
  ): Promise<JSONApiResponse<TokenSet>>

  PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.

  See: https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce45

  Parameters

  • bodyParameters: AuthorizationCodeGrantWithPKCERequest
  • options: AuthorizationCodeGrantOptions = {}

  Returns Promise<JSONApiResponse<TokenSet>>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId',
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.authorizationCodeGrantWithPKCE({
    code: 'mycode',
    code_verifier: 'mycodeverifier'
  });
  Copy

clientCredentialsGrant

• clientCredentialsGrant(
      bodyParameters: ClientCredentialsGrantRequest,
      options?: { initOverrides?: InitOverride },
  ): Promise<JSONApiResponse<TokenSet>>

  This is the OAuth 2.0 grant that server processes use to access an API.

  Use this endpoint to directly request an Access Token by using the Client's credentials (a Client ID and a Client Secret or a Client Assertion).

  See: https://auth0.com/docs/api/authentication#client-credentials-flow

  Parameters

  • bodyParameters: ClientCredentialsGrantRequest
  • options: { initOverrides?: InitOverride } = {}

  Returns Promise<JSONApiResponse<TokenSet>>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId',
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.clientCredentialsGrant({ audience: 'myaudience' });
  Copy

pushedAuthorization

• pushedAuthorization(
      bodyParameters: PushedAuthorizationRequest,
      options?: { initOverrides?: InitOverride },
  ): Promise<JSONApiResponse<PushedAuthorizationResponse>>

  This is the OAuth 2.0 extension that allows to initiate an OAuth flow from the backchannel instead of by building a URL.

  See: https://www.rfc-editor.org/rfc/rfc9126.html

  Parameters

  • bodyParameters: PushedAuthorizationRequest
  • options: { initOverrides?: InitOverride } = {}

  Returns Promise<JSONApiResponse<PushedAuthorizationResponse>>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId',
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.pushedAuthorization({ response_type: 'id_token', redirect_uri: 'http://localhost' });
  Copy

passwordGrant

• passwordGrant(
      bodyParameters: PasswordGrantRequest,
      options?: GrantOptions,
  ): Promise<JSONApiResponse<TokenSet>>

  This information is typically received from a highly trusted public client like a SPA*. (*Note: For single-page applications and native/mobile apps, we recommend using web flows instead.)

  See: https://auth0.com/docs/api/authentication#resource-owner-password

  Parameters

  • bodyParameters: PasswordGrantRequest
  • options: GrantOptions = {}

  Returns Promise<JSONApiResponse<TokenSet>>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId'
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.passwordGrant({
      username: 'myusername@example.com',
      password: 'mypassword'
    },
    { initOverrides: { headers: { 'auth0-forwarded-for': 'END.USER.IP.123' } } }
  );
  Copy

  Set the'auth0-forwarded-for' header to the end-user IP as a string value if you want brute-force protection to work in server-side scenarios.

  See https://auth0.com/docs/get-started/authentication-and-authorization-flow/avoid-common-issues-with-resource-owner-password-flow-and-attack-protection

refreshTokenGrant

• refreshTokenGrant(
      bodyParameters: RefreshTokenGrantRequest,
      options?: GrantOptions,
  ): Promise<JSONApiResponse<TokenSet>>

  Use this endpoint to refresh an Access Token using the Refresh Token you got during authorization.

  See: https://auth0.com/docs/api/authentication#refresh-token

  Parameters

  • bodyParameters: RefreshTokenGrantRequest
  • options: GrantOptions = {}

  Returns Promise<JSONApiResponse<TokenSet>>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId'
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.refreshTokenGrant({ refresh_token: 'myrefreshtoken' })
  Copy

revokeRefreshToken

• revokeRefreshToken(
      bodyParameters: RevokeRefreshTokenRequest,
      options?: { initOverrides?: InitOverride },
  ): Promise<VoidApiResponse>

  Use this endpoint to invalidate a Refresh Token if it has been compromised.

  The behaviour of this endpoint depends on the state of the Refresh Token Revocation Deletes Grant toggle. If this toggle is enabled, then each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked. If this toggle is disabled, then only the refresh token is revoked, while the grant is left intact.

  See: https://auth0.com/docs/api/authentication#revoke-refresh-token

  Parameters

  • bodyParameters: RevokeRefreshTokenRequest
  • options: { initOverrides?: InitOverride } = {}

  Returns Promise<VoidApiResponse>

  Example

  const auth0 = new AuthenticationApi({
     domain: 'my-domain.auth0.com',
     clientId: 'myClientId'
     clientSecret: 'myClientSecret'
  });
  
  await auth0.oauth.revokeRefreshToken({ token: 'myrefreshtoken' })
  Copy

tokenForConnection

• tokenForConnection(
      bodyParameters: TokenForConnectionRequest,
      options?: { initOverrides?: InitOverride },
  ): Promise<JSONApiResponse<TokenSet>>

  Exchanges a subject token for an access token for the connection.

  The request body includes:

  • client_id (and client_secret/client_assertion via addClientAuthentication)
  • grant_type set to urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token
  • subject_token: the token to exchange
  • subject_token_type: the type of token being exchanged. Defaults to refresh tokens (urn:ietf:params:oauth:token-type:refresh_token).
  • requested_token_type (http://auth0.com/oauth/token-type/federated-connection-access-token) indicating that a federated connection access token is desired
  • connection name and an optional login_hint if provided

  Parameters

  • bodyParameters: TokenForConnectionRequest

    The options to retrieve a token for a connection.
  • options: { initOverrides?: InitOverride } = {}

  Returns Promise<JSONApiResponse<TokenSet>>

  A promise with the token response data.

  Throws

  An error if the exchange fails.

ReadonlyidTokenValidator