ContextQMD
Back to Node Auth0

Class OAuth

docs/classes/auth.OAuth.html

5.9.113.6 KB
Original Source

Class OAuth

OAuth 2.0 flows.

Hierarchy (View Summary)

Index

Constructors

constructor

Methods

authorizationCodeGrantauthorizationCodeGrantWithPKCEclientCredentialsGrantpushedAuthorizationpasswordGrantrefreshTokenGrantrevokeRefreshTokentokenForConnectionrequest

Properties

domainclientIdclientSecret?clientAssertionSigningKey?clientAssertionSigningAlg?useMTLS?idTokenValidatorconfiguration

Constructors

constructor

new OAuth(options: AuthenticationClientOptions): OAuth

Parameters

Returns OAuth

Methods

authorizationCodeGrant

authorizationCodeGrant(
bodyParameters: AuthorizationCodeGrantRequest,
options?: AuthorizationCodeGrantOptions,
): Promise<JSONApiResponse<TokenSet>>

This is the flow that regular web apps use to access an API.

Use this endpoint to exchange an Authorization Code for a Token.

See: https://auth0.com/docs/api/authentication#authorization-code-flow44

Parameters

Returns Promise<JSONApiResponse<TokenSet>>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId', clientSecret: 'myClientSecret'});await auth0.oauth.authorizationCodeGrant({ code: 'mycode' });Copy

authorizationCodeGrantWithPKCE

authorizationCodeGrantWithPKCE(
bodyParameters: AuthorizationCodeGrantWithPKCERequest,
options?: AuthorizationCodeGrantOptions,
): Promise<JSONApiResponse<TokenSet>>

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use client authentication.

See: https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce45

Parameters

Returns Promise<JSONApiResponse<TokenSet>>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId', clientSecret: 'myClientSecret'});await auth0.oauth.authorizationCodeGrantWithPKCE({ code: 'mycode', code_verifier: 'mycodeverifier'});Copy

clientCredentialsGrant

clientCredentialsGrant(
bodyParameters: ClientCredentialsGrantRequest,
options?: { initOverrides?: InitOverride },
): Promise<JSONApiResponse<TokenSet>>

This is the OAuth 2.0 grant that server processes use to access an API.

Use this endpoint to directly request an Access Token by using the Client's credentials (a Client ID and a Client Secret or a Client Assertion).

See: https://auth0.com/docs/api/authentication#client-credentials-flow

Parameters

Returns Promise<JSONApiResponse<TokenSet>>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId', clientSecret: 'myClientSecret'});await auth0.oauth.clientCredentialsGrant({ audience: 'myaudience' });Copy

pushedAuthorization

pushedAuthorization(
bodyParameters: PushedAuthorizationRequest,
options?: { initOverrides?: InitOverride },
): Promise<JSONApiResponse<PushedAuthorizationResponse>>

This is the OAuth 2.0 extension that allows to initiate an OAuth flow from the backchannel instead of by building a URL.

See: https://www.rfc-editor.org/rfc/rfc9126.html

Parameters

Returns Promise<JSONApiResponse<PushedAuthorizationResponse>>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId', clientSecret: 'myClientSecret'});await auth0.oauth.pushedAuthorization({ response_type: 'id_token', redirect_uri: 'http://localhost' });Copy

passwordGrant

passwordGrant(
bodyParameters: PasswordGrantRequest,
options?: GrantOptions,
): Promise<JSONApiResponse<TokenSet>>

This information is typically received from a highly trusted public client like a SPA*. (*Note: For single-page applications and native/mobile apps, we recommend using web flows instead.)

See: https://auth0.com/docs/api/authentication#resource-owner-password

Parameters

Returns Promise<JSONApiResponse<TokenSet>>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId' clientSecret: 'myClientSecret'});await auth0.oauth.passwordGrant({ username: '[email protected]', password: 'mypassword' }, { initOverrides: { headers: { 'auth0-forwarded-for': 'END.USER.IP.123' } } });Copy

Set the'auth0-forwarded-for' header to the end-user IP as a string value if you want brute-force protection to work in server-side scenarios.

See https://auth0.com/docs/get-started/authentication-and-authorization-flow/avoid-common-issues-with-resource-owner-password-flow-and-attack-protection

refreshTokenGrant

refreshTokenGrant(
bodyParameters: RefreshTokenGrantRequest,
options?: GrantOptions,
): Promise<JSONApiResponse<TokenSet>>

Use this endpoint to refresh an Access Token using the Refresh Token you got during authorization.

See: https://auth0.com/docs/api/authentication#refresh-token

Parameters

Returns Promise<JSONApiResponse<TokenSet>>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId' clientSecret: 'myClientSecret'});await auth0.oauth.refreshTokenGrant({ refresh_token: 'myrefreshtoken' })Copy

revokeRefreshToken

revokeRefreshToken(
bodyParameters: RevokeRefreshTokenRequest,
options?: { initOverrides?: InitOverride },
): Promise<VoidApiResponse>

Use this endpoint to invalidate a Refresh Token if it has been compromised.

The behaviour of this endpoint depends on the state of the Refresh Token Revocation Deletes Grant toggle. If this toggle is enabled, then each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant. This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked. If this toggle is disabled, then only the refresh token is revoked, while the grant is left intact.

See: https://auth0.com/docs/api/authentication#revoke-refresh-token

Parameters

Returns Promise<VoidApiResponse>

Example

const auth0 = new AuthenticationApi({ domain: 'my-domain.auth0.com', clientId: 'myClientId' clientSecret: 'myClientSecret'});await auth0.oauth.revokeRefreshToken({ token: 'myrefreshtoken' })Copy

tokenForConnection

tokenForConnection(
bodyParameters: TokenForConnectionRequest,
options?: { initOverrides?: InitOverride },
): Promise<JSONApiResponse<TokenSet>>

Exchanges a subject token for an access token for the connection.

The request body includes:

  • client_id (and client_secret/client_assertion via addClientAuthentication)
  • grant_type set to urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token
  • subject_token: the token to exchange
  • subject_token_type: the type of token being exchanged. Defaults to refresh tokens (urn:ietf:params:oauth:token-type:refresh_token).
  • requested_token_type (http://auth0.com/oauth/token-type/federated-connection-access-token) indicating that a federated connection access token is desired
  • connection name and an optional login_hint if provided

Parameters

The options to retrieve a token for a connection.

Returns Promise<JSONApiResponse<TokenSet>>

A promise with the token response data.

Throws

An error if the exchange fails.

Protectedrequest

request(
context: RequestOpts,
initOverrides?: RequestInit | InitOverrideFunction,
): Promise<Response>

Parameters

Returns Promise<Response>

Properties

domain

domain: string

clientId

clientId: string

OptionalclientSecret

clientSecret?: string

OptionalclientAssertionSigningKey

clientAssertionSigningKey?: string

OptionalclientAssertionSigningAlg

clientAssertionSigningAlg?: string

OptionaluseMTLS

useMTLS?: boolean

ReadonlyidTokenValidator

idTokenValidator: IDTokenValidator

Protectedconfiguration

configuration: Configuration

Settings

Member Visibility

  • Protected
  • Inherited

ThemeOSLightDark

On This Page

Constructors constructor Methods authorizationCodeGrantauthorizationCodeGrantWithPKCEclientCredentialsGrantpushedAuthorizationpasswordGrantrefreshTokenGrantrevokeRefreshTokentokenForConnectionrequest Properties domainclientIdclientSecretclientAssertionSigningKeyclientAssertionSigningAlguseMTLSidTokenValidatorconfiguration