> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn about the effect of the OIDC-conformant application setting on the authentication pipeline.

# Adopt OIDC-Conformant Authentication

export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
  const [displayText, setDisplayText] = useState(children);
  const [copyText, setCopyText] = useState(children);
  const wrapperRef = React.useRef(null);
  useEffect(() => {
    let unsubscribe = null;
    function init() {
      if (!window.autorun || !window.rootStore) {
        return;
      }
      unsubscribe = window.autorun(() => {
        let processedChildrenForDisplay = children;
        let processedChildrenForCopy = children;
        for (const [key, value] of window.rootStore.variableStore.values.entries()) {
          const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
          let displayValue = value;
          if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
            displayValue = value.substring(0, 3) + "*****MASKED*****";
          }
          processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
          processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
        }
        setDisplayText(processedChildrenForDisplay);
        setCopyText(processedChildrenForCopy);
      });
    }
    if (window.rootStore) {
      init();
    } else {
      window.addEventListener("adu:storeReady", init);
    }
    return () => {
      window.removeEventListener("adu:storeReady", init);
      unsubscribe?.();
    };
  }, [children]);
  useEffect(() => {
    if (!wrapperRef.current) return;
    const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
    let isOverriding = false;
    const handleClick = e => {
      const button = e.target.closest('[data-testid="copy-code-button"]');
      if (!button || !wrapperRef.current.contains(button)) return;
      isOverriding = true;
      navigator.clipboard.writeText = text => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
          return originalWriteText(copyText);
        }
        return originalWriteText(text);
      };
      setTimeout(() => {
        if (isOverriding) {
          isOverriding = false;
          navigator.clipboard.writeText = originalWriteText;
        }
      }, 100);
    };
    const wrapper = wrapperRef.current;
    wrapper.addEventListener('click', handleClick, true);
    return () => {
      wrapper.removeEventListener('click', handleClick, true);
      if (navigator.clipboard.writeText !== originalWriteText) {
        navigator.clipboard.writeText = originalWriteText;
      }
    };
  }, [copyText]);
  return <div ref={wrapperRef}>
      <CodeBlock filename={filename} icon={icon} language={language} lines highlight={highlight}>
        {displayText}
      </CodeBlock>
    </div>;
};

Auth0 is a [certified OpenID Connect (OIDC) provider](http://openid.net/certification/). As part of Auth0’s efforts to improve security and standards-based interoperability, we roll out new features exclusively on authentication flows that strictly conform to [OIDC specifications](http://openid.net/specs/openid-connect-core-1_0.html).

We will explain the differences between the OIDC-conformant and legacy pipelines and provide suggestions on how to adapt your existing applications. If you are a developer and/or IT administrator who manages Auth0 integrations in your applications using the [OAuth 2.0 Authorization Framework](/docs/authenticate/protocols/oauth). This information is not applicable if you are using <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> or WS-Federation. All authentication flows are described through HTTP requests rather than in the context of any particular language or library implementation.

All new features target only the OIDC-conformant pipeline, and all legacy Auth0 SDK versions are deprecated, do not receive updates for new features or non-critical security issues, and will eventually be discontinued. In addition, all documentation, libraries, and examples outside of this guide apply to only the OIDC-conformant pipeline. Because of this, we strongly recommend adopting the OIDC-conformant pipeline even if you do not need to leverage any new features or functionality in the immediate future.

## Apply the OIDC-conformant pipeline

Depending on the age of your tenant, you may have different options for applying the OIDC-conformant pipeline.

### New tenants

If you create a new tenant using the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>, the OIDC-conformant pipeline is used by default. This has been a default setting for the Dashboard since early 2019.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  You may still have manually disabled the OIDC Conformant setting, in which case you should follow our instructions for older tenants.
</Callout>

### Older tenants

If you want to force all changes outlined in this guide at the same time for a given application so you can encounter all breaking changes during configuration rather than run time, you must:

1. Go to [Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), and select the desired application.
2. Scroll to **Advanced Settings** and go to the **OAuth** tab.
3. Enable the **OIDC Conformant** toggle switch and click **Save Changes**.

If you want to use the OIDC-conformant pipeline on a per-authentication-request basis and your application needs to call an API with a <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip>, initiate the request to the [`/social`](https://auth0.com/docs/api/authentication#social) endpoint with an `audience` parameter.

If you want to use the OIDC-conformant pipeline on a per-authentication-request basis and your application doesn't need to call an API, use the following `audience` parameter:

export const codeExample = `https://{yourDomain}/userinfo`;

<AuthCodeBlock children={codeExample} language="http" />

## Differences

Enabling the OIDC-conformant pipeline results in the following changes to the legacy pipeline.

### APIs

Applications and APIs (resources) should be defined as separate Auth0 entities. To learn more, read [OIDC-Conformant Adoption: APIs](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-apis).

### Access tokens

* APIs should be secured with access tokens instead of <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+tokens">ID tokens</Tooltip>. To learn more about the differences, read [Tokens](/docs/secure/tokens).
* A defined set of standard claims about users can be returned in ID Tokens or in the response from `/userinfo`.
* Custom claims must conform to a named format. To learn more, read [Create Namespaced Custom Claims](/docs/secure/tokens/json-web-tokens/create-custom-claims).
* Responses from `/userinfo` will conform to the OIDC specification, similar to the contents of ID tokens
* Scopes can be used to request either standard claims or custom API permissions.

To learn more, read [OIDC-Conformant Adoptions: Access Tokens](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-access-tokens).

### Authorization flows

* [Authorization Code Flow](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow): Structural differences exist in the authentication request, authentication response, code exchange request, code exchange response, ID token structure, and access token structure.
* [Client Credentials Flow](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-client-credentials-flow): New flow enabled, which allows applications to authenticate as themselves (rather than on behalf of a user) to programmatically and securely obtain access to an API.
* [Implicit Flow](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow): Structural differences exist in the authentication request, authentication response, ID token structure, and access token structure. Specifically:

  * `response_type=token` only returns an access token. To get an ID token, use `response_type=id_token` or `response_type=token id_token`.
  * ID tokens will be signed asymmetrically using RS256.
  * Authentication requests made without a nonce parameter will be rejected. To learn more, read [Mitigate Replay Attacks When Using Implicit Flow](/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post/mitigate-replay-attacks-when-using-the-implicit-flow).
  * Refresh tokens will no longer be returned when using the Implicit Flow for authentication.
* [Resource Owner Password Flow](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-rop-flow): Structural differences exist in the authentication request, authentication response, ID token structure, and access token structure. Specifically:

  * the legacy [resource owner endpoint](https://auth0.com/docs/api/authentication#database-ad-ldap-active-) is disabled, which also disables passwordless authentication for embedded login from that endpoint. To [implement Passwordless with embedded login](/docs/authenticate/login/universal-vs-embedded-login), you must use the Embedded Passwordless API or our SDKs, depending on your application type.
  * the `device` parameter is now considered invalid when requesting a refresh token using the `offline_access` scope.

### Delegation

* **Deprecated**: [`/delegation`](https://auth0.com/docs/api/authentication#delegation) endpoint, except when used to get third-party API tokens.
* OIDC-conformant applications cannot be the source or target of delegation requests.

To learn more, read [OIDC-Conformant Adoption: Delegation](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-delegation).

### Endpoints

* **Deprecated**: `/tokeninfo` endpoint
* **Disabled**: the [`/oauth/access_token`](https://auth0.com/docs/api/authentication#post-oauth-access_token) endpoint (used for social authentication from native mobile applications).
* **Deprecated**: `/ssodata` endpoint
* **Deprecated**: [`/delegation`](https://auth0.com/docs/api/authentication#delegation) endpoint except when used to get third-party API tokens.

### Refresh tokens

* <Tooltip tip="Refresh Token: Token used to obtain a renewed Access Token without forcing users to log in again." cta="View Glossary" href="/docs/glossary?term=Refresh+tokens">Refresh tokens</Tooltip> will no longer be returned when using the Implicit Flow for authentication.
* Refresh tokens can be used for confidential applications, but <Tooltip tip="Refresh Token Rotation: Strategy of frequently replacing refresh tokens to minimize vulnerability. With refresh token rotation, every time your application exchanges a refresh token to get a new access token, Auth0 also returns a new refresh token." cta="View Glossary" href="/docs/glossary?term=refresh+token+rotation">refresh token rotation</Tooltip> can increase security for most flows and should always be used for public applications when using the Authorization Code Flow with PKCE. To learn about confidential applications, read [Confidential and Public Applications](/docs/get-started/applications/confidential-and-public-applications). To learn more about refresh token rotation, read, [Refresh Token Rotation](/docs/secure/tokens/refresh-tokens/refresh-token-rotation).
* When getting new tokens, you should use the `/oauth/token` endpoint.
* The `device` parameter is no longer needed when requesting a refresh token using the `offline_access` scope in authentication requests.

To learn more, read [OIDC-Conformation Adoption: Refresh Tokens](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-refresh-tokens).

### Single Sign-on (SSO)

* <Tooltip tip="Single Sign-On (SSO): Service that, after a user logs into one applicaton, automatically logs that user in to other applications." cta="View Glossary" href="/docs/glossary?term=SSO">SSO</Tooltip> can be performed only from Auth0 login pages, which means that you must employ <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip>.
* To determine whether users are logged in via SSO, you must use silent authentication. To learn more, read [Configure Silent Authentication](/docs/authenticate/login/configure-silent-authentication).
* **Deprecated**: `/ssodata` endpoint and `getSSOData()` method from `Lock/auth0.js`.

To learn more, read [OIDC-Conformant Adoption: Single Sign-On](/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-sso).

### Additional features

* Create third-party applications for your APIs and display consent dialogs for authorization. To learn more, read [User Consent and Third-Party Applications](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications).
* Restrict user profile information provided to applications upon authentication. To learn more, read [User Profiles](/docs/manage-users/user-accounts/user-profiles/user-profile-structure).
* Dynamically register applications. To learn more, read [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration).
* [Organizations](/docs/manage-users/organizations) and their related features become available.