diff --git a/main/docs/get-started/applications/application-grant-types.mdx b/main/docs/get-started/applications/application-grant-types.mdx index 25df1aaf7..863497a3a 100644 --- a/main/docs/get-started/applications/application-grant-types.mdx +++ b/main/docs/get-started/applications/application-grant-types.mdx @@ -104,7 +104,7 @@ If you are using the Dashboard to enable or disable these grant types, be aware |---|---| | `authorization_code` | Yes (PKCE mandatory) | | `refresh_token` | Yes | -| `client_credentials` | Planned for a future release | +| `client_credentials` | Yes (confidential clients only) | | `implicit` | No | | `password` | No | | `urn:ietf:params:oauth:grant-type:device_code` | No | diff --git a/main/docs/get-started/applications/application-settings.mdx b/main/docs/get-started/applications/application-settings.mdx index 47f7ab2a8..5706cc7f7 100644 --- a/main/docs/get-started/applications/application-settings.mdx +++ b/main/docs/get-started/applications/application-settings.mdx @@ -141,7 +141,7 @@ For troubleshooting help, read [Troubleshoot Invalid Token Errors](/docs/trouble ### Grant Types -Select grant types to enable or disable for your application. Available grant types are based on the application type and [application ownership](/docs/get-started/applications/first-party-and-third-party-applications). Third-party applications with enhanced security controls only support `authorization_code` and `refresh_token`. +Select grant types to enable or disable for your application. Available grant types are based on the application type and [application ownership](/docs/get-started/applications/first-party-and-third-party-applications). Third-party applications with enhanced security controls support `authorization_code`, `refresh_token`, and `client_credentials`. ![Dashboard Applications Application Settings Tab Advanced Settings Grant Types tab](/docs/images/cdy7uua7fh8z/4ZMq4VfeGsKsKfZVFwSqe8/a0057749551915ac8d24b151bc27e875/Grant_Types_-_English.png) diff --git a/main/docs/get-started/applications/dynamic-client-registration.mdx b/main/docs/get-started/applications/dynamic-client-registration.mdx index acb500d14..53865a740 100644 --- a/main/docs/get-started/applications/dynamic-client-registration.mdx +++ b/main/docs/get-started/applications/dynamic-client-registration.mdx @@ -12,7 +12,7 @@ All applications created through Dynamic Client Registration are [third-party ap - Receive a `tpc_` client ID prefix - Require PKCE for authorization code flows -- Support only `authorization_code` and `refresh_token` grant types +- Support only `authorization_code` and `refresh_token` grant types. The `client_credentials` grant type is not available via DCR. - Can only access APIs through explicit [client grants](/docs/get-started/applications/application-access-to-apis-client-grants) - Can only use [domain-level connections](/docs/authenticate/identity-providers/promote-connections-to-domain-level) for authentication @@ -78,7 +78,7 @@ curl --request POST \ | `client_name` | The name of the application to create. | | `redirect_uris` (required) | An array of URLs that Auth0 will accept as valid callback URLs at the end of an authentication flow. | | `token_endpoint_auth_method` | The authentication method for the token endpoint. Use `none` for public clients (SPA, Native) or `client_secret_post` (default) for confidential clients. | -| `grant_types` | The grant types the application wants to use. Filtered down in response to reflect the ones it will be allowed to use. Third-party applications support `authorization_code` and `refresh_token`. | +| `grant_types` | The grant types the application wants to use. Filtered down in response to reflect the ones it will be allowed to use. Applications created through DCR support `authorization_code` and `refresh_token`. | | `response_types` | The response types the application will use. Use `code` for authorization code flow. | If successful, Auth0 returns the application credentials: diff --git a/main/docs/get-started/applications/first-party-and-third-party-applications.mdx b/main/docs/get-started/applications/first-party-and-third-party-applications.mdx index 3ad502d78..86b39391e 100644 --- a/main/docs/get-started/applications/first-party-and-third-party-applications.mdx +++ b/main/docs/get-started/applications/first-party-and-third-party-applications.mdx @@ -39,11 +39,11 @@ The following table summarizes the differences between first-party and third-par | **API access** | Follows the API's configured access policy | Always requires an explicit [client grant](/docs/get-started/applications/application-access-to-apis-client-grants) | | **Auth0 system APIs** | Accessible in user flows | Not accessible in user flows | | **User consent** | Can be skipped (if enabled on the API) | Always required | -| **Grant types** | All supported grant types | `authorization_code` and `refresh_token` | +| **Grant types** | All supported grant types | `authorization_code`, `refresh_token`, and `client_credentials` | | **OIDC** | Supported | Not supported. Planned for a future release. | | **Rules** | Executed | Not supported. Results in error. | | **Non-OAuth protocols** (SAML, WsFed) | Supported | Not supported | -| **Organizations** | Supported | Not supported. Planned for a future release. | +| **Organizations** | Supported | Machine-to-machine access supported via [organization client grants](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants). User flows planned for a future release. | | **Client ID format** | Standard format | `tpc_` prefix | | **Connections** | All enabled connections | Domain-level connections | diff --git a/main/docs/get-started/applications/third-party-applications.mdx b/main/docs/get-started/applications/third-party-applications.mdx index c2acd27ec..33894372a 100644 --- a/main/docs/get-started/applications/third-party-applications.mdx +++ b/main/docs/get-started/applications/third-party-applications.mdx @@ -41,8 +41,7 @@ Third-party applications support: - `authorization_code` with mandatory PKCE - `refresh_token` - -Additional grant types such as `client_credentials` are planned for a future release. +- `client_credentials` (confidential clients only) ## Get started diff --git a/main/docs/get-started/applications/third-party-applications/configure-third-party-applications.mdx b/main/docs/get-started/applications/third-party-applications/configure-third-party-applications.mdx index 6444c963e..69572acbb 100644 --- a/main/docs/get-started/applications/third-party-applications/configure-third-party-applications.mdx +++ b/main/docs/get-started/applications/third-party-applications/configure-third-party-applications.mdx @@ -57,7 +57,7 @@ curl --request POST \ | `is_first_party` | Boolean | Indicates whether the application is first-party (`true`) or third-party (`false`). | | `app_type` | String | The type of application (e.g., `regular_web`, `native`, `spa`, `non_interactive`). | | `callbacks` | Array | A list of allowed callback URLs for the redirect after authentication. | -| `grant_types` | Array | A list of types of OAuth2 grants this client is allowed to use. Third-party applications are only allowed to use `authorization_code` and `refresh_token`. To learn more, read [Supported grant types](/docs/get-started/applications/third-party-applications#supported-grant-types). | +| `grant_types` | Array | A list of types of OAuth2 grants this client is allowed to use. Third-party applications support `authorization_code`, `refresh_token`, and `client_credentials`. To learn more, read [Security Controls for Third-Party Applications](/docs/get-started/applications/third-party-applications/security-controls). | | `token_endpoint_auth_method` | String | The authentication method for the token endpoint (e.g., `client_secret_post`). | If successful, Auth0 creates the application with a `tpc_` Client ID prefix, `authorization_code` and `refresh_token` grant types, and sets `third_party_security_mode` to `strict`, indicating that enhanced security controls are enabled. diff --git a/main/docs/get-started/applications/third-party-applications/permissive-mode.mdx b/main/docs/get-started/applications/third-party-applications/permissive-mode.mdx index 2e93f2536..c4326a84c 100644 --- a/main/docs/get-started/applications/third-party-applications/permissive-mode.mdx +++ b/main/docs/get-started/applications/third-party-applications/permissive-mode.mdx @@ -48,7 +48,7 @@ Third-party applications created before the introduction of security modes retur | **Capability** | **Enhanced security controls (strict)** | **Pre-existing behavior (permissive)** | |---|---|---| -| **Grant types** | `authorization_code`, `refresh_token` | Most grant types (except `password`) | +| **Grant types** | `authorization_code`, `refresh_token`, `client_credentials` | Most grant types (except `password`) | | **PKCE** | Mandatory | Optional | | **OIDC** | Not supported. Planned for a future release. | Supported | | **API authorization** | Always requires explicit client grant | Follows API access policy | diff --git a/main/docs/get-started/applications/third-party-applications/security-controls.mdx b/main/docs/get-started/applications/third-party-applications/security-controls.mdx index e1ae29f42..5461b7d3c 100644 --- a/main/docs/get-started/applications/third-party-applications/security-controls.mdx +++ b/main/docs/get-started/applications/third-party-applications/security-controls.mdx @@ -17,7 +17,7 @@ Auth0 regularly enhances security for third-party applications. Only features ex Third-party applications enforce modern OAuth standards: - **PKCE mandatory**: All authorization code flows require [Proof Key for Code Exchange](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). This prevents authorization code interception attacks. -- **Supported grant types**: Only `authorization_code` and `refresh_token` are available. Additional grant types such as `client_credentials` are planned for a future release. +- **Supported grant types**: `authorization_code`, `refresh_token`, and `client_credentials`. - **Implicit and password grants not supported**: Legacy grant types that expose tokens in the browser URL or require direct credential handling are not available for third-party applications. ## Explicit API authorization @@ -34,6 +34,20 @@ Third-party applications must have an explicit grant, even when an API is config Third-party applications cannot be granted access to [system APIs](/docs/get-started/apis#system-apis) such as the Management API or My Account API. +## Machine-to-machine (Client Credentials) + +Third-party applications support the `client_credentials` grant type for machine-to-machine access. This enables backend partner integrations and server-to-server API access without user involvement. + +**Requirements and constraints:** + +- The application must be a confidential client (`token_endpoint_auth_method` must not be `none`). +- [Organizations](/docs/manage-users/organizations): Machine-to-machine access with Organizations is supported. An explicit [organization client grant](/docs/manage-users/organizations/configure-organizations/configure-organization-client-grants) is required for each organization. The `allow_any_organization` option is not permitted for third-party applications. Default client grants for third-party applications cannot be used to configure `organization_usage`. +- Not available for applications created through [Dynamic Client Registration](/docs/get-started/applications/dynamic-client-registration) or [CIMD](/docs/get-started/applications/third-party-applications/configure-third-party-applications#cimd). + +**Extensibility:** + +- [Actions](/docs/customize/actions) with the credentials-exchange trigger execute normally. + ## Restricted client configuration You can only configure a curated set of client properties for third-party applications. When new properties are added to Auth0, they are not available for third-party applications unless explicitly reviewed and added to the supported set. @@ -45,7 +59,7 @@ Key supported properties include: | `name`, `description`, `logo_uri` | Basic metadata | | `callbacks` | Redirect URIs | | `allowed_origins`, `web_origins` | CORS and web_message origins | -| `grant_types` | Must be `authorization_code` or `refresh_token` | +| `grant_types` | Must be `authorization_code`, `refresh_token`, or `client_credentials` | | `token_endpoint_auth_method` | Authentication method for the token endpoint | | `app_type` | Must be `regular_web`, `spa`, `native`, or `non_interactive` | | `client_metadata` | Custom key-value metadata | @@ -155,6 +169,7 @@ The following features are not supported for third-party applications: | **Auth0 system APIs** (Management API, MFA API, My Account API, My Orgs API) | Not supported. Third-party applications cannot access system APIs in user flows. | | **MFA during refresh token exchange** | Not supported. Refresh token transactions that trigger MFA will result in an error. | | **Rules** | Not supported. Tenants with active Rules will receive an error when a strict third-party application triggers a login flow. | +| **Hooks** (credentials-exchange) | Not supported. Tenants with an active credentials-exchange Hook will receive an error. Migrate to [Actions](/docs/customize/actions) for credentials-exchange extensibility. | | **Non-OAuth Authentication API endpoints** (`/dbconnections/*`, `/passwordless/*`) | Not supported. | | **Legacy endpoints** (`/delegation`, `/oauth/ro`) | Not supported. | | **SAML, WsFed** | Not supported. | diff --git a/main/docs/get-started/applications/third-party-applications/troubleshooting.mdx b/main/docs/get-started/applications/third-party-applications/troubleshooting.mdx index e37b34afb..9e31c0b00 100644 --- a/main/docs/get-started/applications/third-party-applications/troubleshooting.mdx +++ b/main/docs/get-started/applications/third-party-applications/troubleshooting.mdx @@ -59,9 +59,9 @@ curl --request POST \ ### Grant type not supported -**Cause**: Only `authorization_code` and `refresh_token` grant types are supported. Grant types such as `implicit`, `password`, `client_credentials`, and `urn:ietf:params:oauth:grant-type:device_code` are not available. +**Cause**: Only `authorization_code`, `refresh_token`, and `client_credentials` grant types are supported. Grant types such as `implicit`, `password`, and `urn:ietf:params:oauth:grant-type:device_code` are not available. -**Solution**: Update the application to use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). +**Solution**: For user flows, use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce). For machine-to-machine access, use the [Client Credentials Flow](/docs/get-started/authentication-and-authorization-flow/client-credentials-flow) with a confidential client (`token_endpoint_auth_method` must not be `none`). ### Classic Login not working diff --git a/main/docs/images/third-party-applications/create-application-dialog.png b/main/docs/images/third-party-applications/create-application-dialog.png index 629d97252..c7357efa6 100644 Binary files a/main/docs/images/third-party-applications/create-application-dialog.png and b/main/docs/images/third-party-applications/create-application-dialog.png differ diff --git a/main/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications.mdx b/main/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications.mdx index 31f88a1b6..bff3f0cb1 100644 --- a/main/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications.mdx +++ b/main/docs/troubleshoot/product-lifecycle/deprecations-and-migrations/migrate-to-enhanced-security-third-party-applications.mdx @@ -118,7 +118,7 @@ To learn more, read [Default permissions for third-party applications](/docs/get ##### 3. Validate compatibility Test your workflows for creating third-party applications with enhanced security controls enabled. Confirm that: -* Your applications can use `authorization_code` and `refresh_token` grant types +* Your applications can use `authorization_code`, `refresh_token`, or `client_credentials` grant types * PKCE is implemented in your authorization flows * You do not require OIDC scopes * You do not require Classic Login or legacy endpoints @@ -264,7 +264,7 @@ The following table compares the capabilities available to each security mode: | Capability | Enhanced Security Controls | Existing Behavior | |---|---|---| -| **Grant types** | `authorization_code`, `refresh_token` | All grant types available | +| **Grant types** | `authorization_code`, `refresh_token`, `client_credentials` | All grant types available | | **PKCE** | Mandatory | Optional | | **OIDC** | Not available. Planned for a future release. | Supported | | **API authorization** | Always requires explicit client grant | Follows API's access policy |