Best Practice
It’s important to consider both security and user experience when designing how you will authenticate your users. Providing for multiple primary factors, and/or enforcing more than one factor during authentication, are ways that you can provide both.- Where will users enter their credentials?
- How will you keep user credentials safe?
- How will you maintain your authentication system?
- How can you provide password authentication for your users?
- How can you prevent hackers from trying to log in as your users?
- How will you implement authentication in different kinds of applications?
- How can you make login easy for your users when they come from different language backgrounds?
- How will you provide a good user experience as you migrate away from any legacy authentication system?
- What should you consider when integrating applications with Auth0?
- Can users log in using their existing social (e.g., Facebook or Google) accounts?
- Do you need to provide multi-factor authentication?
- What do you do if you have a service that doesn’t have a way for the user to log in ahead of time?
- Can you pass the same user from one API to another?
Universal Login
Do you have, or will you have, more than one application in your system? If the answer to this question is yes, then you will want a centralized sign in experience. To achieve a seamless (SSO) experience between multiple applications, it is critical to have a centralized location to redirect your users for authentication. This allows you a way to provide your users with a consistent experience if you add social authentication in the future, add third party applications to your system, or add multi-factor authentication as an option (or requirement) for your users—and also allow you to take advantage of new features for improving your users’ experience with little, if any, added development effort.Best Practice
If you have more than one application, the best practice is to redirect to a centralized location to authenticate the user. With Auth0, this means taking advantage of Universal Login, which provides many security and user experience benefits out-of-the-box, including SSO.- Determine how and when you want to redirect from your application.
- Set up the appropriate branding and/or customized HTML in your Auth0 configuration.
- Set up your application to receive and handle the response from the Authorization Server.
Username and password authentication
Nearly every B2C application provides the ability for their customers to create a new set of credentials. This is a common form of authentication that all users are familiar with. Username password authentication comes in multiple flavors at Auth0. If your application is a green-field application with no existing user base, then a simple Auth0 out-of-the-box Database Connection will give you everything you need to start authenticating your users. However, if you have a legacy user store—such as your own database of users or an existing LDAP system—you have a couple of different options for migrating your users as discussed in our guidance on User migration. However you end up provisioning the users for your database connection, the authentication of those users is quite similar. It requires you to present users with a form to enter their username and password. As mentioned in the guidance concerning Universal Login, the simplest and safest way to authenticate users with a username and password is to redirect them to a centralized login page and collect their username and password there. This allows Auth0 to determine whether they have already authenticated and skip the login form entirely when it’s not needed.Best Practice
Collecting credentials only at the centralized login page will reduce the surface area for potential leak of user secrets. It will also reduce the need to collect credentials unnecessarily. See Universal Login for more information.Application integration
Once you’ve figured out how you want to authenticate your users, the next step is to determine how you will initiate that authentication. Each application will typically have its own starting point.Native mobile applications (and desktop applications) should use the system browser for authentication, or they open themselves up to additional security risks. See Native vs. Browser Login on Mobile for more information.
Anonymous access
It is important to consider the user experience when someone first comes to your application. If your application supports anonymous user access (quite common for eCommerce applications) there are different scenarios to consider:- Are they returning to the application after having already logged in, or
- 
If this is the first time they are accessing the application:
- Have they already accessed a different application that uses the same Auth0 tenant,
- Have they ever (or perhaps not in a long time) authenticated on this device or browser.
 
Checking for a login session by redirecting to Auth0 can be helpful for your application, but if this will result in a lot of requests, you should employ a throttling mechanism to avoid latency and/or rate limiting.Calls to the Management API are subject to Auth0 Rate Limiting policy. You must take this into consideration, and to assist, Auth0 generally recommends use of the appropriate Auth0 SDK for your development environment rather than calling our APIs directly.
Deep linking to protected endpoints
There are a variety of reasons why someone might link directly to a particular page within your application that is only accessible by authenticated users. If this is possible for your application you should automatically redirect your user to Auth0 if they are not authenticated. Once they authenticate and the returns them to your application, you can redirect them to where they intended to go in the first place.Best Practice
Most modern authentication frameworks support middleware for redirecting to an authorization server such as Auth0. When selecting one, here are some key considerations:- Support for confidential clients, non-confidential clients, or both
- Support for configuration via discovery endpoint or explicitly inline
- Support for token validation including expirations, signatures, claims and scopes
- Support for if needed
Authenticating the user
Authentication is the process of determining user identity. The result of authentication in an OIDC context is an . This token contains information about the user and should only be able to be obtained if the user authenticates using one or more factors as defined by the authorization server (the most common form being user ID and password). There are a few things you may also need to consider in addition to obtaining an ID Token:- Do we also need an Access Token in order to call a shared API?
- Is your application a single-page application and only requires an ID Token? See Authorization Code Grant with PKCE for more information.
- Is your application a native application (mobile or desktop) and/or do you need a Refresh Token? See Authorization Code Grant with PKCE for more information.
Before you go live, you should ensure that only the grants that you are using for each application are enabled in your configuration for your Application.
Authorization code grant (with or without PKCE)
If your SDK only supports the Authorization Code grant, or you need an Access Token or , then Authorization Code grant (with or without PKCE) can also be used to retrieve an ID Token. The Authorization Code grant includes an additional API call to exchange the code for a token which can result in additional unnecessary latency if all you need is the ID Token. In many cases the hybrid flow is implemented to provide optimum access to the ID Token while still leveraging Authorization Code grant workflow for the secure and safe retrieval of Access and Refresh Tokens.While Auth0 supports the use of implicit grant for browser-based applications requiring only an ID Token, it is recommended to use authorization code grant with PKCE. For detailed information, see OAuth2 Implicit Grant and SPA on the Auth0 Blog.If you need a Refresh Token so that you can obtain a new Access Token or ID Token without having to re-authenticate the user, then you must use the authorization code grant.
Attack protection
The reason that authentication systems are important is to prevent from accessing applications and user data that they should not. We want to place as many barriers as possible between those bad actors and access to our systems. One of the easiest ways to do this is to ensure that your attack protection with Auth0 is configured correctly, so take a moment to read the guidance on this subject and ensure that it’s working correctly for you.Best Practice
Anomaly detection is handled behind the scenes by Auth0 and provides a great security feature for your product. If you’re going to utilize it, ensure that you have set up your Email Provider and configured your Email Templates before turning on email delivery to your users.SSO with legacy systems
In a large scale re-structure it’s not always possible—or practical—to update all your applications at once. In fact, our recommended best practice is to plan for an iterative-style approach when it comes to integrating with Auth0. If your applications already participate in Single Sign-on (SSO), and your legacy identity system supports protocols such as OIDC or , then you have a couple of options available if you want to continue to provide SSO as you integrate with Auth0:- Update your existing identity provider in your legacy SSO system to redirect to Auth0 for login (e.g., using SAML), or
- Have Auth0 redirect to your legacy SSO system to login. This requires configuring your legacy system as an IdP in Auth0 (i.e., either using SAML or OIDC).
Best Practice
Supporting an SSO experience with your legacy system can add complexity, but may be worth it to generate a more seamless user experience as you integrate with Auth0. If you intend to go down this path, planning for it early can help ensure that it is possible to achieve. If you don’t already have SSO at a centralized service, then the complexity to add it will unlikely be worth the benefits.Social authentication
The “bring your own identity” scenario offered by Facebook, Google, etc., is a valuable way of simplifying the user authentication experience without compromising security, and using Universal Login makes it easy to start adding support for Social Connections with minimal disruption.Auth0 provides a simple way to test social connections using pre-configured developer keys. However, these have limitations, and before going into production, you’ll need to set up your own application-specific keys by following the instructions for your chosen social provider(s).
Best Practice
Social is a great feature to provide, but when you offer more than one way to sign in, you need to consider the possibility that your customers will actually use more than one way to sign in. By default, every user identity in Auth0 has its own user profile, so you’ll probably want to consider Auth0’s capability to link user accounts to provide an effective way of associating one user profile with multiple identities.Multi-factor authentication (MFA)
In an era where misuse of user credentials is at an all-time high, protecting your systems when it’s so common for hackers to steal users identity information in general is a challenge. One of the most effective ways though is to provide users with the ability to configure a second factor for protecting their account. More commonly referred to as Multi-Factor Authentication. This will ensure that only a valid user can access their account, even if they use a username and password that may have been compromised from a different application.Best Practice
It’s quite common for customer facing applications to provide users with an option for adding a second factor rather than forcing them to use a second factor. For more information regarding this, see providing your users with an option to add MFA.- Auth0 Guardian: a service that provides both Push notification generation and an application for allowing or denying requests. Push sends notification to a user’s pre-registered device—typically a mobile or tablet—from which a user can immediately allow or deny account access via the simple press of a button.
- Time-based One-Time Password (TOTP): allows you to register a device—such as Google Authenticator—that will generate a one-time password which changes over time and which can be entered as the second factor to validate a user’s account.
- SMS: for sending a one-time code over SMS which the user is then prompted to enter before they can finish authenticating.
- Voice: for delivering a one-time code through a phone call which the user is then prompted to enter before they can finish authenticating.
- Duo: allows you to use your Duo account for multi-factor authentication.
- Email: allows you to use your email account for multi-factor authentication.