Docs 3689 auth explorer update #10394
Conversation
HRI addition
HRI update Break out client grants #Learn More standardization Error pages into Markdown tables
Duplicate Learn More
Fixes for the nav, flow files, updated error codes
Co-authored-by: Patrick Dillon <pdillon@users.noreply.github.com>
| @@ -1,20 +1,20 @@ | |||
| { | |||
| "default": false, | |||
| "resultVersion": 1, | |||
| "MD001": true, | |||
| "MD001": false, | |||
There was a problem hiding this comment.
Do we want to keep these disabled globally instead of using <!-- markdownlint-disable MDXYZ--> in the affected files?
There was a problem hiding this comment.
For Authentication API Explorer, yes. The errors I'm getting are because the tech is old and we don't have the resources or people to yet to update the experience completely. Once the Explorer is merged, I plan to go back and update this file ^
There was a problem hiding this comment.
I understand! Let's keep it like this, then
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| The Authentication API enables you to manage all aspects of user identity when you use Auth0. It offers endpoints so your users can log in, sign up, log out, access APIs, and more. | |||
|
|
|||
| The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, [OAuth 2.0](/protocols/oauth2), and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>. | |||
| The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, <dfn data-key="oath2"> [OAuth 2.0](/protocols/oauth2)</dfn>, <dfn data-key="fapi">[FAPI](https://auth0.com/docs/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-)</dfn> and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>. | |||
There was a problem hiding this comment.
Do we need the entire URL here instead of just the relative path, as in the other places?
There was a problem hiding this comment.
Thank-you for catching this one ^
| @@ -208,22 +208,11 @@ Once you have a verification code, use this endpoint to login the user with thei | |||
| | <dfn data-key="scope">`scope`</dfn> | Use `openid` to get an ID Token, or `openid profile email` to also include user profile information in the ID Token. | | |||
| | `redirect_uri` <br/><span class="label label-danger">Required</span> | A callback URL that has been registered with your application's **Allowed Callback URLs**. | | |||
|
|
|||
|
|
|||
| ### Test with Authentication API Debugger | |||
There was a problem hiding this comment.
It's great to see references to the Authentication API Debugger removed 🙂
There was a problem hiding this comment.
Yes! I haven't heard if the Debugger has been fully deprecated or not, so I have a single reference in the intro for it.
There was a problem hiding this comment.
It's not fully deprecated. There is an intention to deprecate it, but not a plan AFAIK.
What you did looks perfect to me: maintaining a reference to it but reducing the doc coverage to discourage new people from using it.
| ``` | ||
|
|
||
| ```javascript | ||
| var request = require("request"); |
There was a problem hiding this comment.
This is a bit nitpicky, I'd love to have const instead of var in the code examples. I think that var could transmit the image of being out of fashion, or not up-to-date with the current best practices, which may put off some people.
var is perfectly functional in any case, so this is totally optional, but using const would transmit a more "modern" feel.
There was a problem hiding this comment.
@edgarchirivella-okta , these code samples weren't updated this round. Would I just replace var with const?
There was a problem hiding this comment.
No problem! I understand that you just moved the code examples between files.
I don't think it's required now, this is something that could be included in the future project you have next quarter, if you have the time to include it 🙂
In these small examples, it would just be replacing var with const. There are some gotchas because they don't behave in the exact same way, but for these examples, replacing var with const would do. This is a very good explanation of the differences: https://www.freecodecamp.org/news/var-let-and-const-whats-the-difference/
In general, people try to use const first, and let only if the variable needs to be reassigned. var is only seen in older projects nowadays.
There was a problem hiding this comment.
Sounds perfect! I was talking to Daniel and David about the next project including a closer review of the flows and samples!
| code: "AUTHORIZATION_CODE", | ||
| redirect_uri: "${account.callback}", } }; | ||
|
|
||
| request(options, function (error, response, body) { |
There was a problem hiding this comment.
And related to the var comment above, I think that converting these examples to async/await could make us more approachable, because the devs learning Node and Javascript these days may not even be familiar with callbacks.
This has lower priority than the var comment above and I understand the pressure to merge this today, so this is just a suggestion for a future improvement.
There was a problem hiding this comment.
I have another larger project for the Explorer planned for next quarter, so this could absolutely be helpful!
There was a problem hiding this comment.
That sounds great! Thank you for that 😄 let's keep it with the callbacks here, then
| > RESPONSE SAMPLE: | ||
|
|
||
| ```JSON | ||
| HTTP/1.1 200 OK |
There was a problem hiding this comment.
Should we remove the HTTP/1.1 line here too?
There was a problem hiding this comment.
I checked with Session since these samples are very old. For this fragment, leaving the HTTP could help with error handling, so for this project, we'll leave them. Next quarter, I'll engage engineering to review the samples more closely.
| ```http | ||
| POST ${account.namespace}/oauth/par | ||
| Content-Type: 'application/x-www-form-urlencoded' | ||
| response_type=code|code id_token& |
There was a problem hiding this comment.
It is important that all example include
- an audience param (optional)
- an authorization_details param (optional)
There was a problem hiding this comment.
Pending updates on Google doc
| url: 'https://{yourDomain}/oauth/par, | ||
| headers: { 'content-type': 'application/x-www-form-urlencoded' }, | ||
| form: { | ||
| response_type: 'code|code id_token', |
There was a problem hiding this comment.
It is important that all example include
- an audience param (optional)
- an authorization_details param (optional)
There was a problem hiding this comment.
Pending updates on Google doc
| curl --request POST \ | ||
| --url 'https://{yourDomain}/oauth/par' \ | ||
| --header 'content-type: application/x-www-form-urlencoded' \ | ||
| --data 'response_type=code|code id_token& client_id={yourClientId}& redirect_uri={https://yourApp/callback}&state=STATE&scope=openid|profile|email&code_challenge=CODE_CHALLENGE&code_challenge_method=S256&nonce=NONCE&connection=CONNECTION&prompt=login|consent|none&organisation=ORGANIZATION' |
There was a problem hiding this comment.
It is important that all example include
- an audience param (optional)
- an authorization_details param (optional)
There was a problem hiding this comment.
Pending updates on Google doc
| ::: note | ||
| Highly Regulated Identity is currently available for Enterprise customers under Limited Early Access. To learn more about this program, contact [Auth0 Support](http://support.auth0.com/). | ||
| ::: | ||
| Push Authorization Requests (PAR), a service of [Highly Regulated Identity](https://auth0.com/docs/secure/highly-regulated-identity), uses the `/oauth/par` endpoint to allow applications to send the authentication parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all standard authorization parameters similar to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint. |
There was a problem hiding this comment.
| Push Authorization Requests (PAR), a service of [Highly Regulated Identity](https://auth0.com/docs/secure/highly-regulated-identity), uses the `/oauth/par` endpoint to allow applications to send the authentication parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all standard authorization parameters similar to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint. | |
| Push Authorization Requests (PAR), a service of [Highly Regulated Identity](https://auth0.com/docs/secure/highly-regulated-identity), uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all standard authorization parameters similar to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint. |
There was a problem hiding this comment.
Added to the next commit
| ## Request Parameters | ||
| | Parameter | Description | | ||
| |:-----------------|:------------| | ||
| | `response_type` <br/><span class="label label-danger">Required</span> | Specifies the token type. We recommend you use code to request an authorization code, or code id_token to receive an authorization code and a [detached signature](https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature). | |
There was a problem hiding this comment.
Add
audience
The unique identifier of the target API you want to access.
| | `redirect_uri` <br/><span class="label label-danger">Required</span> | The URL to which Auth0 will redirect the browser after authorization has been granted by the user. Specify the `redirect_uri` under your [Application's Settings](${manage_url}/#/applications).| | ||
| | `state` <br/><span class="label label-primary">Recommended</span> | An opaque value the applications adds to the initial request that the authorization server includes when redirecting the back to the application. This value must be used by the application to prevent CSRF attacks. | | ||
| | `scope` <br/><span class="label label-primary">Recommended</span>| OIDC scopes and custom API scopes. For example: `openid read:timesheets`. Include `offline_access` to get a Refresh Token.| | ||
| | `code_challenge` <br/><span class="label label-primary">Recommended</span> | OIDC scopes and custom API scopes. For example: `openid read:timesheets`. Include offline_access to get a Refresh Token. | |
There was a problem hiding this comment.
Add
authorization_details
Similarly to scopes, this parameter allows you to request specific permissions for each resource you want to access. In this case, you can specify an array of json objects to convey fine-grained information on the authorization. Each json object must contain a type attribute and the rest is up to you to define. Read the [RAR reference documention](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-rar) to learn all the details.
There was a problem hiding this comment.
I edited this description on the Google Doc and added the example case to the Remarks sections
| > RESPONSE SAMPLE: | ||
| ``` json | ||
| /** | ||
| The `/oauth/token` endpoint will respond with a JSON object containing an `id_token` property, and potentially also a `refresh_token` if one was requested. |
There was a problem hiding this comment.
| The `/oauth/token` endpoint will respond with a JSON object containing an `id_token` property, and potentially also a `refresh_token` if one was requested. | |
| The `/oauth/token` endpoint will respond with a JSON object containing an `access_token` property, and potentially also a `refresh_token` if one was requested. If you specified the authorization_details parameter at the beginning of the flow, it will also be added to the response to indicate the details of what has been authorized. |
There was a problem hiding this comment.
I don't know if this text should appear here in the json example or be included as part of the remarks
There was a problem hiding this comment.
This line was originally associated with the Response, so I put it as commented out. Feel free to update it on the Google doc and I can update.
| Content-Type: application/json | ||
| { | ||
| "refresh_token":"GEbRxBN...edjnXbL", | ||
| "id_token":"eyJ0XAi...4faeEoQ", |
There was a problem hiding this comment.
add
"access_token":"eybRxBN...edjnXZQ",
| { | ||
| "refresh_token":"GEbRxBN...edjnXbL", | ||
| "id_token":"eyJ0XAi...4faeEoQ", | ||
| "token_type":"Bearer", |
There was a problem hiding this comment.
add
"authrorization_details":[
{
"type":"my_type",
"other_attributes_of_my_type":"value"
}
],
| "link": "#exchange-an-authorization-code-for-a-token" | ||
| }) %> | ||
|
|
||
| ```http |
There was a problem hiding this comment.
THIS IS INCORRECT. It should be a request to /token.
There was a problem hiding this comment.
Okay, if you're talking about the ```http section, I'll need that sample from the team. If this is about the include ^ that's actually the link to the endpoint.
| ``` | ||
|
|
||
| ```javascript | ||
| curl --request POST \ |
There was a problem hiding this comment.
THIS IS INCORRECT. It should be a request to /token.
There was a problem hiding this comment.
Okay. Please add the correct sample to the Google doc and I'll get it from there.
| ``` | ||
|
|
||
| ```shell | ||
| var request = require("request"); |
There was a problem hiding this comment.
This request is correct, but shouldn't we add it before the response?
There was a problem hiding this comment.
Honestly, it doesn't matter. It's going to show in the correct spot in the Explorer. I'll move it in the next commit.
| }); | ||
| ``` | ||
|
|
||
| When users are redirected to `/authorize`, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token. |
There was a problem hiding this comment.
| When users are redirected to `/authorize`, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token. | |
| When users are redirected back to your callback, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token. |
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| The Authentication API enables you to manage all aspects of user identity when you use Auth0. It offers endpoints so your users can log in, sign up, log out, access APIs, and more. | |||
|
|
|||
| The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, [OAuth 2.0](/protocols/oauth2), and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>. | |||
| The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, <dfn data-key="oath2"> [OAuth 2.0](/protocols/oauth2)</dfn>, <dfn data-key="fapi">[FAPI](https://auth0.com/docs/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-)</dfn> and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>. | |||
There was a problem hiding this comment.
small nitpick: you could shorten FAPI link by removing "https://auth0.com/docs" from "/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-"
|
|
||
| 1. At the *OAuth2 / OIDC* tab, click **OAuth2 / OIDC Login**. | ||
|
|
||
| ### Use Authentication API Debuggar |
There was a problem hiding this comment.
"Use Authentication API Debuggar"-->"Use Authentication API Debugger"
| - Legacy Delegation: At the *OAuth2 / OIDC* tab, set **Username** and **Password**. Click **Resource Owner Endpoint**. | ||
| - Legacy Resource Owner: At the *OAuth2 / OIDC* tab, set the **Username** and **Password**, and click **Resource Owner Endpoint**. | ||
|
|
||
| ### Use Authentication API Debuggar with authentications flows |
There was a problem hiding this comment.
should Authentications Flows be capitalized?
| - [Custom Social Connections](/connections/social/oauth2) | ||
| - [State Parameter](/protocols/oauth2/oauth-state) | ||
| - [State Parameter](https://auth0.com/docs/secure/attack-protection/state-parameters) |
There was a problem hiding this comment.
the link could be shortened to "/docs/secure/attack-protection/state-parameters"
There was a problem hiding this comment.
Got it! I missed this one :D
| | `client_id` <br/><span class="label label-danger">Required</span> | Your application's Client ID. | | ||
| | `client_secret` <br/><span class="label label-danger">Required</span> | Your application's Client Secret. | | ||
| | `code` <br/><span class="label label-danger">Required</span> | The Authorization Code received from the initial `/authorize` call. | | ||
| | `redirect_uri`| This is required only if it was set at the [GET /authorize](#authorization-code-grant) endpoint. The values must match. | |
There was a problem hiding this comment.
Ah okay. If you set the redirect_uri at /authorize, the same redirect_uri must be set at /oauth/token. I'll clarify that. Thanks!
| | `username` <br/><span class="label label-danger">Required</span> | The user's username | | ||
| | `password` <br/><span class="label label-danger">Required</span> | The user's password | | ||
| | <dfn data-key="scope">`scope`</dfn> | Use `openid` to get an ID Token, `openid profile email` to get an ID Token and the user profile, or `openid offline_access` to get an ID Token and a <dfn data-key="refresh-token">Refresh Token</dfn>. | | ||
| | `id_token` | Used to authenticate using a token instead of username/password, in [Touch ID](/libraries/lock-ios/touchid-authentication) scenarios. | |
There was a problem hiding this comment.
using a token->with a token
no comma between username/password and in Touch ID
| | `password` <br/><span class="label label-danger">Required</span> | The user's password | | ||
| | <dfn data-key="scope">`scope`</dfn> | Use `openid` to get an ID Token, `openid profile email` to get an ID Token and the user profile, or `openid offline_access` to get an ID Token and a <dfn data-key="refresh-token">Refresh Token</dfn>. | | ||
| | `id_token` | Used to authenticate using a token instead of username/password, in [Touch ID](/libraries/lock-ios/touchid-authentication) scenarios. | | ||
| | `device` | You should set this to a string, if you are requesting a Refresh Token (`scope=offline_access`). | |
There was a problem hiding this comment.
you should set->Set
capitalization of Refresh Token
|
|
||
| - This endpoint only works for database connections, <dfn data-key="passwordless">passwordless</dfn> connections, Active Directory/LDAP, Windows Azure AD and ADFS. | ||
|
|
||
| - The `profile` scope value requests access to the End-User's default profile Claims, which are: `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at`. |
|
|
||
| ### Error Codes | ||
|
|
||
| For the complete error code reference for this endpoint refer to [Errors > POST /oauth/ro](#post-oauth-ro). |
There was a problem hiding this comment.
comma between endpoint and refer
| ### Remarks | ||
|
|
||
| - The <dfn data-key="scope">scopes</dfn> issued to the application may differ from the scopes requested. In this case, a `scope` parameter will be included in the response JSON. | ||
| - If you don't request specific scopes, all scopes defined for the audience will be returned due to the implied trust to the application in this grant. You can customize the scopes returned in a rule. For more information, refer to [Calling APIs from Highly Trusted Applications](/api-auth/grant/password). |
There was a problem hiding this comment.
For more information->To learn more
| |:-----------------|:------------| | ||
| | `audience` <br/> | The unique identifier of the target API you want to access. | | ||
| | `scope` | The <dfn data-key="scope">scopes</dfn> which you want to request authorization for. These must be separated by a space. You can request any of the [standard OpenID Connect (OIDC) scopes](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) about users, such as `profile` and `email`, custom claims that must [conform to a namespaced format](/tokens/guides/create-namespaced-custom-claims), or any scopes supported by the target API (for example, `read:contacts`). Include `offline_access` to get a <dfn data-key="refresh-token">Refresh Token</dfn>. | | ||
| | `response_type` <br/><span class="label label-danger">Required</span> | Indicates to Auth0 which OAuth 2.0 flow you want to perform. Use `code` for Authorization Code Grant Flow. | |
There was a problem hiding this comment.
"want to perform"->"want to use?"
| | `state` <br/><span class="label label-primary">Recommended</span> | An opaque value the application adds to the initial request that Auth0 includes when redirecting the back to the application. This value must be used by the application to prevent CSRF attacks. | | ||
| | `redirect_uri` | The URL to which Auth0 will redirect the browser after authorization has been granted by the user. | | ||
| | `connection` | The name of the connection configured to your application. | | ||
| | `prompt` | To initiate a [silent authentication](/api-auth/tutorials/silent-authentication) request, use `prompt=none` (see Remarks for more info). | |
There was a problem hiding this comment.
should you link to the Remarks section below? also suggested rewording: "To learn more, read Remarks"
There was a problem hiding this comment.
See that's one of the drawbacks with Remarks. I can't link to them. The link just goes back to the first one in Login with #remarks. But! With the next project, hopefully we can fix this. But I will update to the To learn more, see the Remarks.
| ::: | ||
| <br></br> | ||
|
|
||
| Authorization Code Flow with [Push Authorization Requests (PAR)](/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par), uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all authorization parameters which can be proivided to `/authorize`. Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value that can be used as a parameter for the `/authorize` endpoint. |
There was a problem hiding this comment.
Push Authorization Requests->Pushed Authorization Requests
no comma after (PAR)
/oauth/par endpoint accepts->/oauth/par endpoint accepts
|
|
||
| Authorization Code Flow with [Push Authorization Requests (PAR)](/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par), uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all authorization parameters which can be proivided to `/authorize`. Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value that can be used as a parameter for the `/authorize` endpoint. | ||
|
|
||
| Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value also used as a parameter for the `/authorize` endpoint. To learn more about configuring PAR, read [Configure Push Authorization Requests (PAR)](/get-started/applications/configure-par). |
There was a problem hiding this comment.
Configure Push Authorization Requests->Configure Pushed Authorization Requests
| | `nonce` <br/><span class="label label-primary">Recommended</span> | A string value which will be included in the ID Token response from Auth0, used to prevent token replay attacks. It is required for `response_type=id_token` token. | | ||
| | `connection` | The name of the connection configured to your application. If null, it will redirect to the [Auth0 Login Page](https://${account.namespace}/login) and show the Login Widget using the first database connection. | | ||
| | `prompt` | Can be used to force a particular prompt to display, e.g. `prompt=consent` will always display the consent prompt.| | ||
| | `organization` | ID of the organization to use when authenticating a user. When not provided, if your application is configured to Display Organization Prompt, the user will be able to enter the organization name when authenticating. | |
There was a problem hiding this comment.
nvm i see that for all the other instances of this paramter, Display Organization Prompt is bolded i.e. Display Organization Prompt, so i think we can just bold it to be consistent
No description provided.