Dear All: Just joined community yesterday so fairly new to auth0, apology if this is a very newbie’ish question.
I see in OAuth2, one can authenticate using a token plus username/password.
One can also authenticate with id/secret plus username/password.
Using auth0, I am able to create a user with password. I do also see my app id and secret.
I am unable to see any code sample on how to authenticate the “user” that I created with the password I assigned (for the app that I defined in auth0).
I am using Java. Any code example or tutorial much apprecated!
thanks
Welcome to the Community! The best place to start is the Java QuickStart:
If you download the Java Quickstart from your Auth0 management dashboard (from the Quickstart tab of the app you created) you will have working code that you can use as a starting point.
It is also important to learn about authentication flows:
This page talks about authenticating a user with “username” and “password”. I am hoping to find a way to authenticate with the “user” record I created under my auth0 account. On this page, however, I do not see where “password” or “login” is being sent across the wire to request authentication. I might have misunderstood the page. Any help much appreciated. Thanks!
So with Auth0, there are many ways you can do this, but in the default model you never send a username / email address + password over the wire yourself. You leave the authentication piece to Auth0 by redirecting the user to Auth0’s Universal Login page (this happens automatically). In this way you need not worry about dealing with passwords. This is step 3 & 4 in the diagram on the page below:
Edit: Ignore this part and see Vittorio’s response below → [It’s worth noting that the implicit flow is more or less already deprecated and will likely go away in the near future with OAuth 2.1. Implicit flow has known weaknesses / vulnerabilities and you should use the authorization code flow with PKCE instead (the Auth0 docs and examples may still use implicit flow… takes time to get everything updated). Have a look at @Vittorio’s chart here: https://twitter.com/vibronet/status/1280907090077220866?s=20]
Hey @markd, the use of implict+form_post is NOT being deprecated. What’s being deprecated is the use of implicit for obtaining access tokens thru the URL, which does NOT happen when using form_post.
Implicit+form_post is basically equivalent to certain flavors of SAML, which is definitely not deprecated and remains one of the most used mechanisms for securing some of the world’s most valuable transactions.