When you choose to create a new application, you are given 4 options: Native, Single Page Web Applications, Regular Web Applications, and Machine to Machine Applications. The first 3 to me seem to be the exact same. And all can be secured using the same flow (PKCE). And two (SPA and Regular) can be secured using regular auth code flow (assuming you have a back end for your front end).
So given that, why are there 3 different options?
Also just noticed, when you create a Regular App, it will actually be listed as a Native App. So really there are only 3 distinct apps to choose from
Thanks for bringing your conversation to the Auth0 Community.
Take a look at this resource to see which grant type should be used with which application type:
Described in that doc are the following grant types; client credential, auth code, implicit, and auth code + PKCE.
Each of the three application architectures you mention used separate grant types at Auth0. Implicit Flow for SPAs, Authorization Code Flow with Proof Key for Code Exchange (PKCE) for native apps, and Authorization Code Flow for regular web apps.
With the release of spa.js we are now supporting the Authorization Code Flow with Proof Key for Code Exchange (PKCE) for SPAs. Which narrows things down a bit, but the implicit flow is still supported for SPAs. It is up to you to choose which flow fits your needs, but would recommend trying out the new spa.js if you are between the two.
A great additional outside resource is the OAuth2.0 spec if you would like a more technical glance at the grant types and their differences.
Hopefully this helps!
A couple things from my perspective here, if it is just a change in what flow you use, then why are there different kinds of apps? Aren’t they all just a UI app and you choose a flow to specify?
Because when you choose a regular app, it actually registers it as a native app.
Also, if what you said is the reason for choosing your type of app in the beginning, I would assume that Auth0 would only let me choose one type of grant type for my specific application right?
It just seems like I can randomly select one of those three app types (Native, Regular, SPA) and nothing would change.
EDIT: Lastly, isn’t the Implicit flow discouraged due to the fact that it was kinda a hack when they made it? That sending an access token to a front end isn’t good practice?
I’m not sure I understand what you mean when you say:
Do you mean in the Auth0 Dashboard? If so, I don’t think this should be the case.
Some of the differences are going to be there to help users choose their quickstart and safeguard against things like using a client credentials grant in a SPA, or scoping a native app to have full control of the management API.
It is true, with the movement towards Auth Code + PKCE native apps and SPA are becoming very similar in terms of their flows.
Do you have a specific concern regarding the choices? Or some feedback for the team? We always appreciate hearing user’s input.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.