<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <title>OAuth 2.0 and OpenID Connect overview | Okta Developer</title> <meta name="generator" content="VuePress 1.9.8"> <link rel="stylesheet" href="https://static.cloud.coveo.com/searchui/v2.8959/14/css/CoveoFullSearch.min.css" integrity="sha512-DzuDVtX/Dud12HycdAsm2k9D1UQ8DU7WOj7cBRnSsOKQbKfkI94g0VM9hplM0BkQ0VXdDiQYU9GvUzMmw2Khaw==" crossorigin="anonymous"> <script class="coveo-script" src="https://static.cloud.coveo.com/searchui/v2.8959/14/js/CoveoJsSearch.Lazy.min.js" integrity="sha512-RV1EooPduQhwl0jz+hmjBw/nAtfeXNm6Dm/hlCe5OR1jAlG4RErUeYfX1jaaM88H8DiyCJDzEWZkOR0Q13DtrA==" crossorigin="anonymous" defer="true"></script> <script src="https://geoip-js.com/js/apis/geoip2/v2.1/geoip2.js"></script> <link rel="apple-touch-icon" sizes="180x180" href="/favicon/favicon.png"> <link rel="icon" type="image/png" href="/favicon/favicon.png"> <link rel="icon" type="image/svg" sizes="32x32" href="/favicon/favicon.svg"> <link rel="icon" type="image/svg" sizes="16x16" href="/favicon/favicon.svg"> <link rel="manifest" href="/favicon/manifest.json"> <link rel="mask-icon" href="/favicon/favicon.png"> <link rel="preload" href="https://use.typekit.net/osg6paw.css" as="style" crossorigin="true"> <link rel="stylesheet" href="https://use.typekit.net/osg6paw.css" crossorigin="true"> <meta name="msapplication-config" content="/favicon/browserconfig.xml"> <meta http-equiv="XA-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script> window.dataLayer = window.dataLayer || []; var isProduction = window.location.hostname === 'developer.okta.com'; if (isProduction) { // START Google Tag Manager - main container (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KXMLV58'); // END Google Tag Manager } </script> <meta name="description" content="Secure, scalable, and highly available authentication and user management for any app."> <meta name="msapplication-config" content="/favicon/browserconfig.xml"> <meta http-equiv="XA-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <link href="https://developer.okta.com/docs/concepts/oauth-openid/" rel="canonical" /> <link rel="preload" href="/assets/css/2.styles.916c88f2.css" as="style"><link rel="preload" href="/assets/js/app.8d18bbef.js" as="script"><link rel="preload" href="/assets/js/185.c681fd7f.js" as="script"><link rel="preload" href="/assets/js/187.158c23d4.js" as="script"><link rel="preload" href="/assets/js/65.d1132cc4.js" as="script"><link rel="preload" href="/assets/js/225.45dd681b.js" as="script"><link rel="preload" href="/assets/js/188.7802dab9.js" as="script"><link rel="preload" href="/assets/js/219.321ff151.js" as="script"><link rel="preload" href="/assets/js/80.6ed389a3.js" as="script"><link rel="preload" href="/assets/js/204.a717d129.js" as="script"><link rel="preload" href="/assets/js/206.c32c8d9a.js" as="script"><link rel="preload" href="/assets/js/216.08cb65a0.js" as="script"><link rel="preload" href="/assets/js/81.b90fa567.js" as="script"><link rel="preload" href="/assets/js/210.8b5a03b4.js" as="script"><link rel="preload" href="/assets/js/195.76e2f625.js" as="script"><link rel="preload" href="/assets/js/220.2c485c69.js" as="script"><link rel="preload" href="/assets/js/202.5c8678e1.js" as="script"><link rel="preload" href="/assets/js/371.6ae0a348.js" as="script"><link rel="preload" href="/assets/js/205.2b78ea63.js" as="script"><link rel="preload" href="/assets/js/191.c4d08a47.js" as="script"><link rel="preload" href="/assets/js/64.2aa9ad79.js" as="script"><link rel="preload" href="/assets/js/215.a532e816.js" as="script"> <link rel="stylesheet" href="/assets/css/2.styles.916c88f2.css"> </head> <body> <div id="app" data-server-rendered="true"><div class="layout"><div class="fixed-header"><div class="header-banner" style="display:none;" data-v-3d4eeb36><div class="header-banner-content" data-v-3d4eeb36><p data-v-3d4eeb36> Check out our new and improved <a href="https://developer.okta.com/docs/api/" target="_blank" data-v-3d4eeb36> API documentation! ↗ </a></p></div> <!----></div> <header class="page-header"><a href="/" class="header--logo"><img src="/img/logotype.svg" width="180" height="28" alt="Okta developer logotype"></a> <div class="menu--slideout"><div class="search--slideout opened"><div class="search--wrapper"><div data-search-bar data-pipeline="developer-okta-com" class="SearchBox"><div class="search--form"><div class="CoveoOmnibox"></div></div> <div class="CoveoAnalytics"></div></div></div></div> <div class="header--links"><ul class="menu--items menu--desktop"><li index="0" class="expandable"><span class="link link--small link--semi-bold">Community</span> <ul class="submenu--items"><li><a href="https://devforum.okta.com" target="_blank" rel="noopener noreferrer" class="link link--small link--semi-bold link--black"><span>Forum</span></a> <!----></li><li><div class="menu--divider"></div> <!----></li><li><div class="menu--icons"><a href="https://github.com/oktadev" target="_blank" rel="noopener noreferrer" class="menu--icon"><i><svg width="19" height="18" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M17.214 4.595a9.185 9.185 0 00-3.358-3.358C12.443.412 10.9 0 9.226 0 7.552 0 6.008.412 4.595 1.237a9.184 9.184 0 00-3.358 3.358C.412 6.008 0 7.552 0 9.225c0 2.01.587 3.818 1.76 5.424 1.173 1.606 2.689 2.717 4.546 3.333.217.04.377.012.48-.084a.47.47 0 00.157-.36l-.006-.649c-.004-.408-.006-.764-.006-1.069l-.276.048a3.52 3.52 0 01-.667.042 5.092 5.092 0 01-.835-.084 1.866 1.866 0 01-.805-.36 1.524 1.524 0 01-.528-.739l-.12-.276a3.003 3.003 0 00-.379-.613c-.172-.224-.346-.376-.522-.456l-.084-.06a.882.882 0 01-.156-.144.66.66 0 01-.108-.169c-.025-.056-.005-.102.06-.138.064-.036.18-.054.348-.054l.24.036c.16.032.358.128.595.289.236.16.43.368.582.624.185.328.407.579.667.75.26.173.522.26.787.26.264 0 .492-.021.684-.06.192-.04.373-.101.541-.181.072-.537.268-.95.588-1.238a8.224 8.224 0 01-1.23-.216 4.896 4.896 0 01-1.13-.468 3.233 3.233 0 01-.967-.805c-.256-.32-.466-.741-.63-1.261-.165-.521-.247-1.122-.247-1.802 0-.97.317-1.794.95-2.475-.297-.729-.269-1.545.083-2.45.233-.073.577-.018 1.033.162.457.18.791.334 1.004.462.212.128.382.237.51.325a8.53 8.53 0 012.307-.313 8.53 8.53 0 012.306.313l.457-.289c.312-.192.68-.368 1.104-.528.425-.16.75-.204.974-.132.36.905.392 1.721.096 2.45.632.68.949 1.506.949 2.475 0 .68-.082 1.283-.246 1.808-.164.524-.377.944-.637 1.26a3.36 3.36 0 01-.973.8 4.916 4.916 0 01-1.13.468 8.208 8.208 0 01-1.23.217c.416.36.624.929.624 1.705v2.535c0 .144.05.264.15.36.1.096.258.124.475.084 1.858-.617 3.373-1.728 4.547-3.333 1.173-1.606 1.76-3.414 1.76-5.424-.001-1.673-.414-3.217-1.238-4.63z"/></svg></i></a><a href="https://twitter.com/OktaDev" target="_blank" rel="noopener noreferrer" class="menu--icon"><i><svg width="18" height="18" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M9 0a9.001 9.001 0 000 18A9.001 9.001 0 009 0zm4.11 7.017c.003.089.005.178.005.267 0 2.73-2.078 5.878-5.877 5.878a5.847 5.847 0 01-3.167-.928 4.144 4.144 0 003.058-.856A2.068 2.068 0 015.2 9.943a2.056 2.056 0 00.934-.035 2.066 2.066 0 01-1.657-2.051c.278.154.597.247.935.258a2.064 2.064 0 01-.64-2.758A5.865 5.865 0 009.03 7.515a2.066 2.066 0 013.52-1.884c.47-.092.913-.264 1.312-.5a2.074 2.074 0 01-.909 1.142 4.12 4.12 0 001.187-.326 4.2 4.2 0 01-1.03 1.07z"/></svg></i></a><a href="https://www.youtube.com/channel/UC5AMiWqFVFxF1q9Ya1FuZ_Q/featured" target="_blank" rel="noopener noreferrer" class="menu--icon"><i><svg width="18" height="18" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M7.879 10.372l2.928-1.686L7.878 7v3.372z"/><path d="M9 0a9.001 9.001 0 000 18A9.001 9.001 0 009 0zm5.624 9.009s0 1.825-.232 2.705a1.41 1.41 0 01-.991.992c-.88.231-4.401.231-4.401.231s-3.511 0-4.4-.24a1.41 1.41 0 01-.992-.992C3.376 10.835 3.376 9 3.376 9s0-1.825.232-2.705c.13-.482.519-.871.991-1.001C5.48 5.062 9 5.062 9 5.062s3.52 0 4.4.241c.482.13.862.51.992.992.241.88.232 2.714.232 2.714z"/></svg></i></a></div> <!----></li></ul></li><li index="1"><a href="https://developer.okta.com/blog/" target="_blank" rel="noopener noreferrer" class="link link--small link--semi-bold"><span>Blog</span></a> <!----></li><li index="2"><a href="https://www.okta.com/pricing/#customer-identity-products" target="_blank" rel="noopener noreferrer" class="link link--small link--semi-bold"><span>Pricing</span></a> <!----></li></ul> <ul class="menu--items menu--desktop"><li index="0"><a href="https://www.okta.com/" target="_blank" rel="noopener noreferrer" class="link link--small link--semi-bold"><span>Okta.com</span></a> <!----></li><li index="1"><a href="/login/" target="_blank" rel="noopener noreferrer" class="link link--small link--semi-bold"><span>Log in</span></a> <!----></li></ul> <ul class="menu--items menu--mobile"><!----> </ul></div></div> <div class="flex align-items-center"><a href="/signup/" class="sign-up--button"> Sign up </a> <div class="mobile--toggles"><div class="mobile--toggle"><span></span> <span></span> <span></span></div></div> <label class="toggle-switch switch-theme"><span class="light-mode active"><img src="/img/icons/mode-light.svg" width="16" height="16" aria-hidden="true" alt></span> <span class="dark-mode"><img src="/img/icons/mode-dark-not-active.svg" width="12" height="13" aria-hidden="true" alt></span></label></div></header> <div class="header-nav"></div></div> <div class="page-body"><div class="content"><div class="content--container"><!----> <div class="content-area col-xl-10 col-lg-10 col-md-12 col-sm-12"><div class="breadcrumb"><div class="breadcrumb--container"><ol></ol></div></div> <!----> <div class="mobile-on-this-page"><h3 class="mobile-header"> On this page </h3> <div dir="auto" class="v-select vs--single vs--unsearchable"> <div id="vs12__combobox" role="combobox" aria-expanded="false" aria-owns="vs12__listbox" aria-label="Search for option" class="vs__dropdown-toggle"><div class="vs__selected-options"><span class="vs__selected"> OAuth 2.0 vs. OpenID Connect <!----></span> <input readonly="readonly" aria-autocomplete="list" aria-labelledby="vs12__combobox" aria-controls="vs12__listbox" type="search" autocomplete="off" value="" class="vs__search"></div> <div class="vs__actions"><button type="button" title="Clear Selected" aria-label="Clear Selected" class="vs__clear" style="display:none;"><svg xmlns="http://www.w3.org/2000/svg" width="10" height="10"><path d="M6.895455 5l2.842897-2.842898c.348864-.348863.348864-.914488 0-1.263636L9.106534.261648c-.348864-.348864-.914489-.348864-1.263636 0L5 3.104545 2.157102.261648c-.348863-.348864-.914488-.348864-1.263636 0L.261648.893466c-.348864.348864-.348864.914489 0 1.263636L3.104545 5 .261648 7.842898c-.348864.348863-.348864.914488 0 1.263636l.631818.631818c.348864.348864.914773.348864 1.263636 0L5 6.895455l2.842898 2.842897c.348863.348864.914772.348864 1.263636 0l.631818-.631818c.348864-.348864.348864-.914489 0-1.263636L6.895455 5z"></path></svg></button> <svg xmlns="http://www.w3.org/2000/svg" width="14" height="10" role="presentation" class="vs__open-indicator"><path d="M9.211364 7.59931l4.48338-4.867229c.407008-.441854.407008-1.158247 0-1.60046l-.73712-.80023c-.407008-.441854-1.066904-.441854-1.474243 0L7 5.198617 2.51662.33139c-.407008-.441853-1.066904-.441853-1.474243 0l-.737121.80023c-.407008.441854-.407008 1.158248 0 1.600461l4.48338 4.867228L7 10l2.211364-2.40069z"></path></svg> <div class="vs__spinner" style="display:none;">Loading...</div></div></div> <ul id="vs12__listbox" role="listbox" style="display:none;visibility:hidden;"></ul> </div></div> <!----> <div class="content__default"><h1>OAuth 2.0 and OpenID Connect overview</h1> <p>OAuth 2.0 and OpenID Connect (OIDC) are industry standard protocols for user authentication and authorization. Okta identity solutions are based on these standards.</p> <hr> <h4 id="learning-outcomes">Learning outcomes <a href="#learning-outcomes" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h4> <ul><li>Learn the difference between OAuth 2.0 and OIDC.</li> <li>Learn how to implement flows based on OAuth 2.0 and OIDC using Okta.</li> <li>Learn which flows and grant types are commonly used by different types of apps.</li></ul> <blockquote><p><strong>Note</strong>: To learn about the Okta authentication deployment models built on top of OAuth 2.0 and OIDC, see <a href="/docs/concepts/redirect-vs-embedded/">Okta deployment models</a>.</p></blockquote> <h2 id="oauth-2-0-vs-openid-connect">OAuth 2.0 vs. OpenID Connect <a href="#oauth-2-0-vs-openid-connect" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h2> <p>OAuth 2.0 and OpenID Connect (OIDC) are complementary protocols. They define how a server authenticates a user, and then grants the user access to resources.</p> <ul><li><a href="https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/" target="_blank" rel="noopener noreferrer">OAuth 2.0<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> controls and delegates authorization to access a protected resource, like your web app, native app, or API service. It provides API security through scoped access tokens.</li> <li><a href="https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/" target="_blank" rel="noopener noreferrer">OIDC<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> extends OAuth 2.0 with user authentication and Single Sign-On (SSO) functionality. It enables you to retrieve and store authentication information about your end users. It also defines several OAuth 2.0 scopes to enable apps to access user profile information.</li></ul> <p>Okta recommends using one of its authentication deployment models for your app's authentication needs. Each model abstracts over the OAuth 2.0 and OIDC protocols, so you don't have to use them directly. To get started and to find sample apps, see <a href="/docs/guides/sign-in-overview/">Sign users in</a>.</p> <blockquote><p><strong>Tip</strong>: Use the <a href="/docs/reference/api/authn/">Authentication API</a> if you require a custom app setup and workflow with direct access to your Okta org and app integrations. This API underpins both the Okta <a href="/docs/guides/sign-into-web-app-redirect/">redirect model</a>, <a href="/docs/guides/embedded-siw/">Embedded Sign-In Widget</a>, and <a href="/docs/guides/auth-js/">Auth JS</a> SDKs.</p></blockquote> <h3 id="oauth-2-0">OAuth 2.0 <a href="#oauth-2-0" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>OAuth 2.0 is a standard that apps use to provide client apps with access. If you would like to grant access to your app data in a secure way, then you want to use the OAuth 2.0 protocol.</p> <p>The OAuth 2.0 spec has four important roles:</p> <ul><li><strong>Client</strong>: The app that wants to access some data.</li> <li><strong>Resource server</strong>: The API or app that stores the data the client wants to access.</li> <li><strong>Resource owner</strong>: The owner of the data on the resource server. For example, you're the owner of your Facebook profile.</li> <li><strong>Authorization server</strong>: The server that manages access and issues access tokens. In this case, Okta is the authorization server.</li></ul> <p>Other important terms:</p> <ul><li><strong>OAuth 2.0 grant</strong>: The authorization given (or granted) to the client by the user. Examples of grants are <strong>Authorization Code</strong> and <strong>Client Credentials</strong>. Each OAuth grant has a corresponding flow. See <a href="#choose-an-oauth-20-flow">Choose an OAuth 2.0 flow</a>.</li> <li><strong>access token</strong>: The token issued by the authorization server (Okta) in exchange for the grant.</li> <li><strong>refresh token</strong>: An optional token that is exchanged for a new access token if the access token has expired.</li></ul> <blockquote><p><strong>Note:</strong> For more information on hard-coded and configurable token lifetimes, see <a href="https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#token-lifetime" target="_blank" rel="noopener noreferrer">Token lifetime<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>.</p></blockquote> <p>The following describes the usual OAuth 2.0 Authorization Code flow.</p> <ol><li>The client requests authorization from the resource owner (usually the user).</li> <li>If the owner gives authorization, the client passes the authorization grant to the authorization server (in this case Okta).</li> <li>If the grant is valid, the authorization server returns an access token, possibly alongside a refresh and/or ID token.</li> <li>The client now uses that access token to access the resource server.</li></ol> <blockquote><p><strong>Note:</strong> For a deeper dive into OAuth 2.0, review the <a href="/blog/2017/06/21/what-the-heck-is-oauth">What the Heck is OAuth? blog</a> and the <a href="https://tools.ietf.org/html/rfc6749" target="_blank" rel="noopener noreferrer">OAuth 2.0 spec<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>.</p></blockquote> <p>At the core of both OAuth 2.0 and OIDC is the authorization server. An authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens to keep a proper boundary between security domains. In the context of this guide, Okta is your authorization server.</p> <p>The authorization server also acts as an OIDC provider. This means you can request <a href="https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#id-token" target="_blank" rel="noopener noreferrer">ID tokens<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> in addition to <a href="https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#access-token" target="_blank" rel="noopener noreferrer">access tokens<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> from the authorization server endpoints.</p> <blockquote><p><strong>Note:</strong> For information on authorization servers, how they work, and how you can use them, see <a href="/docs/concepts/auth-servers">Authorization servers</a>.</p></blockquote> <h3 id="openid-connect">OpenID Connect <a href="#openid-connect" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>OpenID Connect (OIDC) is an authentication standard built on top of OAuth 2.0. It defines an ID token type to pair with OAuth 2.0 access and refresh tokens. OIDC also standardizes areas that OAuth 2.0 leaves up to choice, such as scopes, endpoint discovery, and the dynamic registration of clients. Okta is <a href="https://openid.net/certification/" target="_blank" rel="noopener noreferrer">OpenID Certified<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a>.</p> <p>Although OIDC extends OAuth 2.0, the <a href="https://openid.net/connect/" target="_blank" rel="noopener noreferrer">OIDC specification<span><svg xmlns="http://www.w3.org/2000/svg" aria-hidden="true" focusable="false" x="0px" y="0px" viewBox="0 0 100 100" width="15" height="15" class="icon outbound"><path fill="currentColor" d="M18.8,85.1h56l0,0c2.2,0,4-1.8,4-4v-32h-8v28h-48v-48h28v-8h-32l0,0c-2.2,0-4,1.8-4,4v56C14.8,83.3,16.6,85.1,18.8,85.1z"></path> <polygon fill="currentColor" points="45.7,48.7 51.3,54.3 77.2,28.5 77.2,37.2 85.2,37.2 85.2,14.9 62.8,14.9 62.8,22.9 71.5,22.9"></polygon></svg> <span class="sr-only">(opens new window)</span></span></a> uses slightly different terms for the roles in the flows:</p> <ul><li><strong>OpenID provider</strong>: The authorization server that issues the ID token. In this case Okta is the OpenID provider.</li> <li><strong>end user</strong>: The end user's information that is contained in the ID token.</li> <li><strong>relying party</strong>: The client app that requests the ID token from Okta.</li> <li><strong>ID token</strong>: The token issued by the OpenID provider that contains information about the end user in the form of claims.</li> <li><strong>claim</strong>: The claim is a piece of information about the end user.</li></ul> <p>The high-level flow looks the same for both OpenID Connect and regular OAuth 2.0 flows. The primary difference is that an OpenID Connect flow results in an ID token, in addition to any access or refresh tokens.</p> <h2 id="choose-an-oauth-2-0-flow">Choose an OAuth 2.0 flow <a href="#choose-an-oauth-2-0-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h2> <p>The OAuth flow that you use depends on your use case. The following sections recommend OAuth 2.0 flows based on:</p> <ul><li>The type of app that you're building and the token types that the app requires</li> <li>The type of client that you're building</li></ul> <h3 id="what-type-of-app-are-you-building">What type of app are you building? <a href="#what-type-of-app-are-you-building" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>The following table shows you which OAuth 2.0 flow to use for the type of app that you're building.</p> <table><thead><tr><th>Type of app</th> <th>OAuth 2.0 flow / grant type</th> <th>Access token?</th> <th>ID token?</th></tr></thead> <tbody><tr><td>Server-side (aka web), <br>Single-Page Application, <br>or Native</td> <td><a href="#authorization-code-flow-with-pkce">Authorization Code with PKCE</a> or<br> <a href="#interaction-code-flow">Interaction Code</a> (Identity Engine only).</td> <td>✅</td> <td>✅</td></tr> <tr><td>Trusted</td> <td><a href="#interaction-code-flow">Interaction Code</a></td> <td>✅</td> <td>✅</td></tr> <tr><td>Service</td> <td><a href="#client-credentials-flow">Client Credentials</a></td> <td>✅</td> <td>❌</td></tr></tbody></table> <blockquote><p><strong>Note</strong>: There's also an OAuth 2.0 <a href="#saml-20-assertion-flow">SAML 2.0 Assertion flow</a>. This flow is intended for client apps that want to use an existing trust relationship without a direct user approval step at the authorization server. It supports access and ID tokens.</p></blockquote> <h3 id="what-kind-of-client-are-you-building">What kind of client are you building? <a href="#what-kind-of-client-are-you-building" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>The type of OAuth 2.0 flow depends on what kind of client that you're building. This flowchart can quickly help you decide which flow to use.</p> <div class="full border"><p><img src="/img/authorization/oauth_grant_flowchart_new.png" alt="The decision tree for choosing the correct OAuth 2.0 flow based on the type of client being built"></p></div> <h4 id="is-your-client-public">Is your client public? <a href="#is-your-client-public" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h4> <p>Single-Page Applications (SPAs), mobile, and native apps are <strong>public</strong> apps where end users can view and possibly modify the source code of the app. Any secrets in the code are exposed to malicious users. By comparison, server-side (web) and desktop apps are <strong>confidential</strong> or <strong>private</strong> apps. Confidential clients can use client-side authentication methods such as client secrets and private keys.</p> <h4 id="does-your-client-use-the-redirect-or-embedded-model">Does your client use the redirect or embedded model? <a href="#does-your-client-use-the-redirect-or-embedded-model" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h4> <blockquote><p><strong>Note</strong>: Okta recommends using redirect authentication in your apps whenever possible. Redirect authentication provides stronger security than the embedded model. See <a href="/docs/concepts/redirect-vs-embedded/#redirect-vs-embedded">Redirect vs. embedded</a>.</p></blockquote> <p><a href="/docs/concepts/redirect-vs-embedded/#redirect-authentication">The redirect model</a></p> <p>Use the <a href="#authorization-code-flow-with-pkce">Authorization Code with PKCE</a> flow if your SPA or native app redirects authentication requests to an Okta-hosted sign-in page.</p> <p><a href="/docs/concepts/redirect-vs-embedded/#embedded-authentication">The embedded model</a></p> <p>Use the <a href="#interaction-code-flow">Interaction Code flow</a> if your app hosts the authentication flow itself.</p> <h4 id="does-the-client-have-an-end-user">Does the client have an end user? <a href="#does-the-client-have-an-end-user" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h4> <p>A client app that runs on a server with no direct end user can be trusted to use its own credentials responsibly. If your client app is only doing machine-to-machine interaction, then you should use the <a href="#client-credentials-flow">Client Credentials flow</a>.</p> <h4 id="is-your-app-high-trust">Is your app high-trust? <a href="#is-your-app-high-trust" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h4> <p>An app is <strong>high-trust</strong> if you own it and the resource that it accesses. Because you own both, you can trust the app to handle your end users' usernames and passwords. In this case, and <em>only if other flows aren't viable</em>, you can use the <a href="#resource-owner-password-flow">Resource Owner Password flow</a>. However, it isn't possible to use this flow with multifactor authentication, so consider alternatives such as the <a href="/docs/guides/implement-grant-type/authcode/main/">Authorization Code</a> or <a href="#interaction-code-flow">Interaction Code flow</a>.</p> <p>If your app isn't high-trust, or if you want to take advantage of multifactor authentication, you should use the <a href="/docs/guides/implement-grant-type/authcode/main/">Authorization Code</a> flow.</p> <h3 id="authorization-code-flow-with-pkce-flow">Authorization Code flow with PKCE flow <a href="#authorization-code-flow-with-pkce-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>Proof Key for Code Exchange (PKCE) was originally designed as an extension to protect the Authorization Code flow in mobile apps. However, its ability to prevent authorization code injection and keep the flow secure makes it optimal for every type of OAuth client. Okta recommends that you use the Authorization Code flow with PKCE for your OAuth client, if possible.</p> <p>The flow requires your app to generate a cryptographically random string called a <strong>code verifier</strong>. The code verifier is then hashed to create the <strong>code challenge</strong>, and this challenge is passed along with the request for the authorization code. The authorization server responds with an authorization code and associates the code challenge with the authorization code.</p> <p>After the app receives the authorization code, it sends the authorization code and the code verifier in a request for an access token. The authorization server recomputes the challenge from the verifier using the previously agreed-upon hash algorithm. The authorization server then compares the challenge with the one it associated with the authorization code in the previous step. If the two code challenges and verifier match, the authorization server knows that the same client sent both requests.</p> <blockquote><p><strong>Note:</strong> For implementing refresh tokens with SPAs and other browser-based apps, see <a href="/docs/guides/refresh-tokens/main/">Refresh access tokens</a>.</p></blockquote> <div class="three-quarter"><p><img src="/img/authorization/oauth-auth-code-pkce-grant-flow.png" alt="Sequence diagram that displays the interaction between the resource owner, authorization server, and resource server for Authorization Code flow with PKCE"></p></div> <p>For information on how to set up your app to use this flow, see <a href="/docs/guides/implement-grant-type/authcodepkce/main/">Implement the Authorization Code flow with PKCE</a>.</p> <h3 id="interaction-code-flow">Interaction Code flow <a href="#interaction-code-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>The Interaction Code flow extends the OAuth 2.0 and OIDC standards. It requires clients to pass a client ID and PKCE parameters to Okta to keep the flow secure. The user can start the request with minimal information, relying on the client to facilitate the interactions with Okta to authenticate the user. See <a href="/docs/concepts/interaction-code/">Interaction Code grant type</a>.</p> <blockquote><p><strong>Note</strong>: Interaction Code flow is only available in Identity Engine orgs.</p></blockquote> <div class="three-quarter"><p><img src="/img/authorization/oauth-interaction-code-grant-flow.png" alt="Sequence diagram that displays the interactions between the resource owner, authorization server, and resource server for Interaction Code flow"></p></div> <h3 id="resource-owner-password-flow">Resource Owner Password flow <a href="#resource-owner-password-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>The Resource Owner Password flow is intended for use cases where:</p> <ul><li>You control both the client app and the resource that it's interacting with.</li> <li>The client can store a client secret and can be trusted with the resource owner's credentials.</li> <li>You don't need your users to use multifactor authentication.</li></ul> <p>It's most commonly found in first-party clients made for online services, like the Facebook client apps that interact with the Facebook service. It doesn't require redirects like the Authorization Code or Implicit flows, and involves a single authenticated call to the <code>/token</code> endpoint.</p> <div class="three-quarter"><p><img src="/img/authorization/oauth-resource-owner-password-grant-flow.png" alt="Sequence diagram that shows the interaction between the resource owner, authorization server, and resource server for Resource Owner Password flow"></p></div> <p>For information on how to set up your app to use this flow, see <a href="/docs/guides/implement-grant-type/ropassword/main/">Implement the Resource Owner Password flow</a>.</p> <h3 id="client-credentials-flow">Client Credentials flow <a href="#client-credentials-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>The Client Credentials flow is intended for server-side (confidential) client apps with no end user. Normally, this means machine-to-machine communication. The app needs to be server-side because it must be trusted with the client secret. Since the credentials are hard-coded, an actual end user can't use it. It involves a single, authenticated request to the <code>/token</code> endpoint, which returns an access token.</p> <blockquote><p><strong>Note:</strong> The Client Credentials flow doesn't support refresh tokens.</p></blockquote> <div class="three-quarter"><p><img src="/img/authorization/oauth-client-creds-grant-flow.png" alt="Sequence diagram that displays the interaction between the resource owner, authorization server, and resource server for the Client Credentials flow"></p></div> <p>For information on how to set up your app to use this flow, see <a href="/docs/guides/implement-grant-type/clientcreds/main/">Implement the Client Credentials flow</a>.</p> <h3 id="saml-2-0-assertion-flow">SAML 2.0 Assertion flow <a href="#saml-2-0-assertion-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <p>This flow is intended for a client app that uses an existing trust relationship without a direct user approval step at the authorization server. It enables a client app to obtain an authorization from a valid, signed SAML assertion from the SAML Identity Provider. The client app can then exchange it for an OAuth access token from the OAuth authorization server. For example, this flow is useful when you want to fetch data from APIs that only support delegated permissions without prompting the user for credentials.</p> <p>To use a SAML 2.0 Assertion as an authorization grant, the client makes a SAML request to the Identity Provider. The Identity Provider then sends the SAML 2.0 Assertion back in the response. The client then makes a request for an access token with the <code>urn:ietf:params:oauth:grant-type:saml2-bearer</code> grant type and includes the <code>assertion</code> parameter. The value of the <code>assertion</code> parameter is the SAML 2.0 Assertion that is Base64-encoded. You can send only one SAML assertion in that request.</p> <div class="three-quarter"><p><img src="/img/authorization/oauth-saml2-assertion-grant-flow.png" alt="Displays the sequence diagram for the SAML 2.0 Assertion flow that shows the interaction between the resource owner, authorization server, identity provider, and client&quot;"></p></div> <p>For information on how to set up your app to use this flow, see <a href="/docs/guides/implement-grant-type/saml2assert/main/">Implement the SAML 2.0 Assertion flow</a>.</p> <h3 id="implicit-flow">Implicit flow <a href="#implicit-flow" class="header-anchor header-link"><svg viewBox="0 0 512 512"><path fill="currentColor" d="M326.612 185.391c59.747 59.809 58.927 155.698.36 214.59-.11.12-.24.25-.36.37l-67.2 67.2c-59.27 59.27-155.699 59.262-214.96 0-59.27-59.26-59.27-155.7 0-214.96l37.106-37.106c9.84-9.84 26.786-3.3 27.294 10.606.648 17.722 3.826 35.527 9.69 52.721 1.986 5.822.567 12.262-3.783 16.612l-13.087 13.087c-28.026 28.026-28.905 73.66-1.155 101.96 28.024 28.579 74.086 28.749 102.325.51l67.2-67.19c28.191-28.191 28.073-73.757 0-101.83-3.701-3.694-7.429-6.564-10.341-8.569a16.037 16.037 0 01-6.947-12.606c-.396-10.567 3.348-21.456 11.698-29.806l21.054-21.055c5.521-5.521 14.182-6.199 20.584-1.731a152.482 152.482 0 0120.522 17.197zM467.547 44.449c-59.261-59.262-155.69-59.27-214.96 0l-67.2 67.2c-.12.12-.25.25-.36.37-58.566 58.892-59.387 154.781.36 214.59a152.454 152.454 0 0020.521 17.196c6.402 4.468 15.064 3.789 20.584-1.731l21.054-21.055c8.35-8.35 12.094-19.239 11.698-29.806a16.037 16.037 0 00-6.947-12.606c-2.912-2.005-6.64-4.875-10.341-8.569-28.073-28.073-28.191-73.639 0-101.83l67.2-67.19c28.239-28.239 74.3-28.069 102.325.51 27.75 28.3 26.872 73.934-1.155 101.96l-13.087 13.087c-4.35 4.35-5.769 10.79-3.783 16.612 5.864 17.194 9.042 34.999 9.69 52.721.509 13.906 17.454 20.446 27.294 10.606l37.106-37.106c59.271-59.259 59.271-155.699.001-214.959z"></path></svg></a></h3> <blockquote><p><strong>Note:</strong> The Implicit flow is a legacy flow used only for SPAs that can't support PKCE.</p></blockquote> <p>The Implicit flow is intended for browser-based apps that don't support Cross-Origin Resource Sharing (CORS). This flow is also intended for browser-based apps that lack modern cryptography APIs, and that can't protect a client secret. In this flow, the client doesn't make a request to the <code>/token</code> endpoint, but instead receives the access token in the redirect from the <code>/authorize</code> endpoint. The client must be able to interact with the resource owner's user agent and to receive incoming requests (through redirection) from the authorization server.</p> <blockquote><p><strong>Note:</strong> Because it was always intended for less-trusted clients, the Implicit flow doesn't support refresh tokens.</p></blockquote> <blockquote><p><strong>Important:</strong> For Single-Page apps (SPA) running in modern browsers that support Web Crypto for PKCE, Okta recommends using the <a href="#authorization-code-flow-with-pkce">Authorization Code flow with PKCE</a>. Use this flow instead of the Implicit flow for maximum security. If support for older browsers is required, the Implicit flow provides a functional solution.</p></blockquote> <div class="three-quarter"><p><img src="/img/authorization/oauth-implicit-grant-flow.png" alt="Sequence diagram that displays the interaction between the resource owner, authorization server, and resource server for the Implicit grant flow"></p></div> <p>For information on how to set up your app to use this flow, see <a href="/docs/guides/implement-grant-type/implicit/main/">Implement the Implicit flow</a>.</p></div> <!----> <div class="edit-on-github"><span class="fa fa-github"></span> <span><a id="edit-link" href="https://github.com/okta/okta-developer-docs/edit/master/packages/@okta/vuepress-site/docs/concepts/oauth-openid/index.md" target="_blank" rel="noopener noreferrer" data-proofer-ignore>Edit This Page On GitHub</a></span></div></div> <div class="on-this-page"><aside class="on-this-page-navigation"><div style="display:;"><!----> <div style="display:;"><div class="title"> On this page </div> <ul class="links"><li><a href="/docs/concepts/oauth-openid/#oauth-2-0-vs-openid-connect" class="on-this-page-link"><span>OAuth 2.0 vs. OpenID Connect</span></a> <ul id="submenu_oauth-2-0-vs-openid-connect" style="display:none;"><li><a href="#oauth-2-0" class="on-this-page-link"><span>OAuth 2.0</span></a> <ul id="submenu_oauth-2-0" style="display:none;"></ul></li><li><a href="#openid-connect" class="on-this-page-link"><span>OpenID Connect</span></a> <ul id="submenu_openid-connect" style="display:none;"></ul></li></ul></li><li><a href="/docs/concepts/oauth-openid/#choose-an-oauth-2-0-flow" class="on-this-page-link"><span>Choose an OAuth 2.0 flow</span></a> <ul id="submenu_choose-an-oauth-2-0-flow" style="display:none;"><li><a href="#what-type-of-app-are-you-building" class="on-this-page-link"><span>What type of app are you building?</span></a> <ul id="submenu_what-type-of-app-are-you-building" style="display:none;"></ul></li><li><a href="#what-kind-of-client-are-you-building" class="on-this-page-link"><span>What kind of client are you building?</span></a> <ul id="submenu_what-kind-of-client-are-you-building" style="display:none;"></ul></li><li><a href="#authorization-code-flow-with-pkce-flow" class="on-this-page-link"><span>Authorization Code flow with PKCE flow</span></a> <ul id="submenu_authorization-code-flow-with-pkce-flow" style="display:none;"></ul></li><li><a href="#interaction-code-flow" class="on-this-page-link"><span>Interaction Code flow</span></a> <ul id="submenu_interaction-code-flow" style="display:none;"></ul></li><li><a href="#resource-owner-password-flow" class="on-this-page-link"><span>Resource Owner Password flow</span></a> <ul id="submenu_resource-owner-password-flow" style="display:none;"></ul></li><li><a href="#client-credentials-flow" class="on-this-page-link"><span>Client Credentials flow</span></a> <ul id="submenu_client-credentials-flow" style="display:none;"></ul></li><li><a href="#saml-2-0-assertion-flow" class="on-this-page-link"><span>SAML 2.0 Assertion flow</span></a> <ul id="submenu_saml-2-0-assertion-flow" style="display:none;"></ul></li><li><a href="#implicit-flow" class="on-this-page-link"><span>Implicit flow</span></a> <ul id="submenu_implicit-flow" style="display:none;"></ul></li></ul></li></ul></div></div></aside></div></div></div></div> <footer class="app-footer"><div class="app-footer__wrapper wrapper"><h2 class="visually-hidden"> Additional links </h2> <div class="footer--columns"><div class="footer--column need-support"><a href="/" class="footer-logotype"><img src="/img/logotype.svg" width="180" height="28" alt="Okta developer logotype" class="column--header"></a> <p class="footer-text"> Questions? Ask us on the <a href="https://devforum.okta.com/" target="_self" class="link"> forum. </a></p> <ul class="footer-social-networks link-list"><li class="link-list--item"><a href="https://github.com/oktadev" target="_self" class="link link-list--link"><i class="link-list--icon"><svg width="19" height="18" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M17.214 4.595a9.185 9.185 0 00-3.358-3.358C12.443.412 10.9 0 9.226 0 7.552 0 6.008.412 4.595 1.237a9.184 9.184 0 00-3.358 3.358C.412 6.008 0 7.552 0 9.225c0 2.01.587 3.818 1.76 5.424 1.173 1.606 2.689 2.717 4.546 3.333.217.04.377.012.48-.084a.47.47 0 00.157-.36l-.006-.649c-.004-.408-.006-.764-.006-1.069l-.276.048a3.52 3.52 0 01-.667.042 5.092 5.092 0 01-.835-.084 1.866 1.866 0 01-.805-.36 1.524 1.524 0 01-.528-.739l-.12-.276a3.003 3.003 0 00-.379-.613c-.172-.224-.346-.376-.522-.456l-.084-.06a.882.882 0 01-.156-.144.66.66 0 01-.108-.169c-.025-.056-.005-.102.06-.138.064-.036.18-.054.348-.054l.24.036c.16.032.358.128.595.289.236.16.43.368.582.624.185.328.407.579.667.75.26.173.522.26.787.26.264 0 .492-.021.684-.06.192-.04.373-.101.541-.181.072-.537.268-.95.588-1.238a8.224 8.224 0 01-1.23-.216 4.896 4.896 0 01-1.13-.468 3.233 3.233 0 01-.967-.805c-.256-.32-.466-.741-.63-1.261-.165-.521-.247-1.122-.247-1.802 0-.97.317-1.794.95-2.475-.297-.729-.269-1.545.083-2.45.233-.073.577-.018 1.033.162.457.18.791.334 1.004.462.212.128.382.237.51.325a8.53 8.53 0 012.307-.313 8.53 8.53 0 012.306.313l.457-.289c.312-.192.68-.368 1.104-.528.425-.16.75-.204.974-.132.36.905.392 1.721.096 2.45.632.68.949 1.506.949 2.475 0 .68-.082 1.283-.246 1.808-.164.524-.377.944-.637 1.26a3.36 3.36 0 01-.973.8 4.916 4.916 0 01-1.13.468 8.208 8.208 0 01-1.23.217c.416.36.624.929.624 1.705v2.535c0 .144.05.264.15.36.1.096.258.124.475.084 1.858-.617 3.373-1.728 4.547-3.333 1.173-1.606 1.76-3.414 1.76-5.424-.001-1.673-.414-3.217-1.238-4.63z"/></svg></i> <span class="link-list--text"></span></a></li><li class="link-list--item"><a href="https://twitter.com/OktaDev" target="_self" class="link link-list--link"><i class="link-list--icon"><svg width="19" height="16" viewBox="0 0 19 16" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M18.6702 2.27734C17.9905 2.57812 17.2639 2.78125 16.4983 2.875C17.2796 2.40625 17.8811 1.66406 18.1624 0.78125C17.4319 1.21484 16.6233 1.53125 15.76 1.69922C15.0686 0.960937 14.0843 0.5 12.9983 0.5C10.9085 0.5 9.21707 2.19531 9.21707 4.28516C9.21707 4.58203 9.24832 4.87109 9.31473 5.14844C6.1702 4.99219 3.38113 3.48438 1.51785 1.19141C1.19363 1.75 1.00613 2.40234 1.00613 3.09375C1.00613 4.40625 1.67801 5.56641 2.69363 6.24609C2.06863 6.23047 1.4827 6.05859 0.974884 5.77344V5.82031C0.974884 7.65625 2.27957 9.18359 4.01004 9.53125C3.69363 9.61719 3.3577 9.66406 3.01395 9.66406C2.77176 9.66406 2.53348 9.64062 2.30301 9.59375C2.78348 11.0977 4.18192 12.1914 5.83817 12.2227C4.5452 13.2383 2.91238 13.8438 1.13895 13.8438C0.834259 13.8438 0.533478 13.8242 0.236603 13.7891C1.90457 14.875 3.89285 15.5 6.02567 15.5C12.9905 15.5 16.7952 9.73047 16.7952 4.72656C16.7952 4.5625 16.7913 4.39844 16.7835 4.23828C17.5218 3.70312 18.1624 3.03906 18.6702 2.27734Z" fill="#FFFEFA"/></svg></i> <span class="link-list--text"></span></a></li><li class="link-list--item"><a href="https://www.youtube.com/c/oktadev" target="_self" class="link link-list--link"><i class="link-list--icon"><svg width="21" height="20" viewBox="0 0 21 20" fill="none" xmlns="http://www.w3.org/2000/svg"><g clip-path="url(#clip0_2189_11938)"><path fill-rule="evenodd" clip-rule="evenodd" d="M19.3916 4.06438C19.7034 4.37475 19.9281 4.7617 20.0431 5.18637C20.4514 6.74547 20.4596 10.0003 20.4596 10.0003C20.4596 10.0003 20.4596 13.2552 20.0431 14.8143C19.9271 15.2377 19.702 15.6233 19.3902 15.9325C19.0785 16.2416 18.691 16.4635 18.2666 16.5759C16.7075 16.9941 10.4514 16.9941 10.4514 16.9941C10.4514 16.9941 4.19683 16.9941 2.63772 16.5825C2.21389 16.4685 1.82745 16.2452 1.51712 15.9349C1.20679 15.6246 0.983464 15.2381 0.869531 14.8143C0.451355 13.2552 0.451355 10.0003 0.451355 10.0003C0.451355 10.0003 0.451355 6.74547 0.869531 5.18637C0.983464 4.76254 1.20679 4.3761 1.51712 4.06576C1.82745 3.75543 2.21389 3.53211 2.63772 3.41818C4.19518 3 10.4514 3 10.4514 3C10.4514 3 16.7059 3 18.2666 3.41818C18.6918 3.53115 19.0798 3.75401 19.3916 4.06438ZM13.6484 10.0003L8.45087 7.00061V13L13.6484 10.0003Z" fill="#FFFEFA"/></g><defs><clipPath id="clip0_2189_11938"><rect width="20" height="20" fill="white" transform="translate(0.451355)"/></clipPath></defs></svg></i> <span class="link-list--text"></span></a></li><li class="link-list--item"><a href="https://developer.okta.com/feed.xml" target="_self" class="link link-list--link"><i class="link-list--icon"><svg xmlns="http://www.w3.org/2000/svg" width="19" height="18" fill="none"><circle cx="9.451" cy="9" r="9" fill="#FFFEFA"/><path fill="#191919" d="M15.415 9.809c-.811-3.268-3.971-5.984-7.452-6.406-.736-.088-1.41.412-1.5 1.114-.094.702.426 1.348 1.163 1.438 2.371.285 4.622 2.22 5.176 4.45.063.255.205.482.408.658.328.282.78.392 1.209.295.72-.164 1.166-.859.996-1.55Z"/><path fill="#191919" d="M11.42 10.924c-.395-1.76-2.009-3.295-3.701-3.522-.616-.083-1.18.381-1.259 1.034-.077.651.364 1.247.976 1.333.771.103 1.615.904 1.795 1.707.053.237.171.449.342.61.275.262.654.365 1.013.274.604-.152.978-.796.835-1.436ZM8.03 12.817a1.33 1.33 0 1 0-1.98-1.777 1.33 1.33 0 0 0 1.98 1.777Z"/></svg></i> <span class="link-list--text"></span></a></li></ul></div> <div class="footer--column contact"><h3 class="column--header"> Contact &amp; Legal </h3> <ul class="link-list"><li class="link-list--item"><a href="https://www.okta.com/contact/" target="_self" class="link link-list--link"><span class="link-list--text">Contact our team</span></a></li><li class="link-list--item"><a href="https://www.okta.com/contact-sales/" target="_self" class="link link-list--link"><span class="link-list--text">Contact sales</span></a></li><li class="link-list--item"><a href="/terms/" class="link link-list--link"><span class="link-list--text">Developer Service terms</span></a></li><li class="link-list--item"><a href="https://www.okta.com/terms-of-service/" target="_blank" rel="noopener noreferrer" class="link link-list--link"><span class="link-list--text">Site terms</span></a></li><li class="link-list--item"><a href="https://www.okta.com/privacy-policy/" target="_self" class="link link-list--link"><span class="link-list--text">Privacy policy</span></a></li><li class="link-list--item"><a href="/copyright/" class="link link-list--link"><span class="link-list--text">Copyright &amp; trademarks</span></a></li></ul></div> <div class="footer--column more"><h3 class="column--header"> More information </h3> <ul class="link-list"><li class="link-list--item"><a href="/okta-integration-network/" class="link link-list--link"><span class="link-list--text">Integrate with Okta</span></a></li><li class="link-list--item"><a href="https://www.okta.com/pricing/#workforce-identity-pricing" target="_blank" rel="noopener noreferrer" class="link link-list--link"><span class="link-list--text">Pricing</span></a></li><li class="link-list--item"><a href="/3rd_party_notices/" class="link link-list--link"><span class="link-list--text">3rd-party notes</span></a></li><li class="link-list--item"><a href="https://developer.auth0.com/" target="_blank" rel="noopener noreferrer" class="link link-list--link"><span class="link-list--text">Customer Identity Cloud</span></a></li><li class="link-list--item"><a href="/archive/" class="link link-list--link"><span class="link-list--text">Archive</span></a></li></ul></div> <div class="footer--column websites"><div class="website"><a href="https://www.okta.com/" target="_blank" rel="noopener noreferrer" class="link link--small link--bold link--uppercase link--spacing-large link--with-chevron-right link--heading"><span>OKTA.COM</span></a> <span class="description">Products, case studies, resources</span></div><div class="website"><a href="https://support.okta.com/help/s/" target="_blank" rel="noopener noreferrer" class="link link--small link--bold link--uppercase link--spacing-large link--with-chevron-right link--heading"><span>HELP CENTER</span></a> <span class="description">Knowledgebase, roadmaps, and more</span></div><div class="website"><a href="https://trust.okta.com/" target="_blank" rel="noopener noreferrer" class="link link--small link--bold link--uppercase link--spacing-large link--with-chevron-right link--heading"><span>TRUST</span></a> <span class="description">System status, security, compliance</span></div></div> <div class="copyright"><span>Copyright © 2024 Okta. All rights reserved.</span></div></div></div></footer> <div id="feedback-tab"><a id="feedback-link" href="#" title="Submit feedback"><div id="feedback-container"><p id="feedback-text">Feedback</p></div></a></div></div><div class="global-ui"></div></div> <script src="/assets/js/app.8d18bbef.js" defer></script><script src="/assets/js/185.c681fd7f.js" defer></script><script src="/assets/js/187.158c23d4.js" defer></script><script src="/assets/js/65.d1132cc4.js" defer></script><script src="/assets/js/225.45dd681b.js" defer></script><script src="/assets/js/188.7802dab9.js" defer></script><script src="/assets/js/219.321ff151.js" defer></script><script src="/assets/js/80.6ed389a3.js" defer></script><script src="/assets/js/204.a717d129.js" defer></script><script src="/assets/js/206.c32c8d9a.js" defer></script><script src="/assets/js/216.08cb65a0.js" defer></script><script src="/assets/js/81.b90fa567.js" defer></script><script src="/assets/js/210.8b5a03b4.js" defer></script><script src="/assets/js/195.76e2f625.js" defer></script><script src="/assets/js/220.2c485c69.js" defer></script><script src="/assets/js/202.5c8678e1.js" defer></script><script src="/assets/js/371.6ae0a348.js" defer></script><script src="/assets/js/205.2b78ea63.js" defer></script><script src="/assets/js/191.c4d08a47.js" defer></script><script src="/assets/js/64.2aa9ad79.js" defer></script><script src="/assets/js/215.a532e816.js" defer></script> </body> </html>