Skip to main content
The OAuth manager provides methods for OAuth 2.0 authentication flows, token exchange, and token management.

OAuth Flows

LoginWithPassword

Performs the Resource Owner Password grant (not recommended for new applications). 
func (o *OAuth) LoginWithPassword(
    ctx context.Context,
    body oauth.LoginWithPasswordRequest,
    validationOptions oauth.IDTokenValidationOptions,
    opts ...RequestOption,
) (*oauth.TokenSet, error)
ctx
context.Context
required
The context for the request
body
oauth.LoginWithPasswordRequest
required
The login request parameters
validationOptions
oauth.IDTokenValidationOptions
required
ID token validation options
opts
...RequestOption
Optional request options (use Header() to set auth0-forwarded-for for brute force protection)

LoginWithPasswordRequest

username
string
required
The user’s username
password
string
required
The user’s password
scope
string
Space-delimited list of scopes
audience
string
The unique identifier of the target API
realm
string
The realm the user belongs to (for password-realm grant)
client_id
string
Client ID (uses default if not provided)
client_secret
string
Client Secret (uses default if not provided)
extra_parameters
map[string]string
Extra parameters to merge into request

Example

import (
    "github.com/auth0/go-auth0/v2/authentication/oauth"
)

tokens, err := auth.OAuth.LoginWithPassword(
    ctx,
    oauth.LoginWithPasswordRequest{
        Username: "[email protected]",
        Password: "password123",
        Scope:    "openid profile email",
        Audience: "https://api.example.com",
    },
    oauth.IDTokenValidationOptions{},
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("Access Token:", tokens.AccessToken)
fmt.Println("ID Token:", tokens.IDToken)

LoginWithAuthCode

Performs the Authorization Code grant exchange. 
func (o *OAuth) LoginWithAuthCode(
    ctx context.Context,
    body oauth.LoginWithAuthCodeRequest,
    validationOptions oauth.IDTokenValidationOptions,
    opts ...RequestOption,
) (*oauth.TokenSet, error)
ctx
context.Context
required
The context for the request
body
oauth.LoginWithAuthCodeRequest
required
The authorization code exchange parameters
validationOptions
oauth.IDTokenValidationOptions
required
ID token validation options
opts
...RequestOption
Optional request options

LoginWithAuthCodeRequest

code
string
required
The authorization code from the /authorize endpoint
redirect_uri
string
Must match the redirect_uri from the /authorize call
client_id
string
Client ID (uses default if not provided)
client_secret
string
Client Secret (required for confidential clients)
extra_parameters
map[string]string
Extra parameters to merge into request

Example

tokens, err := auth.OAuth.LoginWithAuthCode(
    ctx,
    oauth.LoginWithAuthCodeRequest{
        Code:        "authorization-code-from-callback",
        RedirectURI: "https://yourapp.com/callback",
    },
    oauth.IDTokenValidationOptions{},
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("Access Token:", tokens.AccessToken)

LoginWithAuthCodeWithPKCE

Performs the Authorization Code with PKCE grant exchange. 
func (o *OAuth) LoginWithAuthCodeWithPKCE(
    ctx context.Context,
    body oauth.LoginWithAuthCodeWithPKCERequest,
    validationOptions oauth.IDTokenValidationOptions,
    opts ...RequestOption,
) (*oauth.TokenSet, error)
ctx
context.Context
required
The context for the request
body
oauth.LoginWithAuthCodeWithPKCERequest
required
The authorization code with PKCE parameters
validationOptions
oauth.IDTokenValidationOptions
required
ID token validation options
opts
...RequestOption
Optional request options

LoginWithAuthCodeWithPKCERequest

code
string
required
The authorization code from the /authorize endpoint
code_verifier
string
required
The cryptographically random key that generated the code_challenge
redirect_uri
string
Must match the redirect_uri from the /authorize call
client_id
string
Client ID (uses default if not provided)
extra_parameters
map[string]string
Extra parameters to merge into request

Example

tokens, err := auth.OAuth.LoginWithAuthCodeWithPKCE(
    ctx,
    oauth.LoginWithAuthCodeWithPKCERequest{
        Code:         "authorization-code-from-callback",
        CodeVerifier: "code-verifier-from-pkce-flow",
        RedirectURI:  "https://yourapp.com/callback",
    },
    oauth.IDTokenValidationOptions{},
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("Access Token:", tokens.AccessToken)

LoginWithClientCredentials

Performs the Client Credentials grant (M2M). 
func (o *OAuth) LoginWithClientCredentials(
    ctx context.Context,
    body oauth.LoginWithClientCredentialsRequest,
    validationOptions oauth.IDTokenValidationOptions,
    opts ...RequestOption,
) (*oauth.TokenSet, error)
ctx
context.Context
required
The context for the request
body
oauth.LoginWithClientCredentialsRequest
required
The client credentials request parameters
validationOptions
oauth.IDTokenValidationOptions
required
ID token validation options
opts
...RequestOption
Optional request options

LoginWithClientCredentialsRequest

audience
string
required
The unique identifier of the target API
organization
string
Organization name or ID (adds org_id or org_name claim)
client_id
string
Client ID (uses default if not provided)
client_secret
string
Client Secret (required)
extra_parameters
map[string]string
Extra parameters to merge into request

Example

tokens, err := auth.OAuth.LoginWithClientCredentials(
    ctx,
    oauth.LoginWithClientCredentialsRequest{
        Audience: "https://api.example.com",
    },
    oauth.IDTokenValidationOptions{},
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("Access Token:", tokens.AccessToken)
fmt.Println("Expires In:", tokens.ExpiresIn)

LoginWithGrant

Generic method for any OAuth 2.0 grant type. 
func (o *OAuth) LoginWithGrant(
    ctx context.Context,
    grantType string,
    body url.Values,
    validationOptions oauth.IDTokenValidationOptions,
    opts ...RequestOption,
) (*oauth.TokenSet, error)
ctx
context.Context
required
The context for the request
grantType
string
required
The OAuth 2.0 grant type
body
url.Values
required
The request body parameters
validationOptions
oauth.IDTokenValidationOptions
required
ID token validation options
opts
...RequestOption
Optional request options

Token Management

RefreshToken

Refreshes an access token using a refresh token. 
func (o *OAuth) RefreshToken(
    ctx context.Context,
    body oauth.RefreshTokenRequest,
    validationOptions oauth.IDTokenValidationOptions,
    opts ...RequestOption,
) (*oauth.TokenSet, error)
ctx
context.Context
required
The context for the request
body
oauth.RefreshTokenRequest
required
The refresh token request parameters
validationOptions
oauth.IDTokenValidationOptions
required
ID token validation options
opts
...RequestOption
Optional request options

RefreshTokenRequest

refresh_token
string
required
The refresh token to use
scope
string
Requested scopes (can be reduced from original)
client_id
string
Client ID (uses default if not provided)
client_secret
string
Client Secret (uses default if not provided)
extra_parameters
map[string]string
Extra parameters to merge into request

Example

tokens, err := auth.OAuth.RefreshToken(
    ctx,
    oauth.RefreshTokenRequest{
        RefreshToken: "refresh-token-from-initial-login",
    },
    oauth.IDTokenValidationOptions{},
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("New Access Token:", tokens.AccessToken)

RevokeRefreshToken

Invalidates a refresh token. 
func (o *OAuth) RevokeRefreshToken(
    ctx context.Context,
    body oauth.RevokeRefreshTokenRequest,
    opts ...RequestOption,
) error
ctx
context.Context
required
The context for the request
body
oauth.RevokeRefreshTokenRequest
required
The revoke token request parameters
opts
...RequestOption
Optional request options

RevokeRefreshTokenRequest

token
string
required
The refresh token to revoke
client_id
string
Client ID (uses default if not provided)
client_secret
string
Client Secret (uses default if not provided)
extra_parameters
map[string]string
Extra parameters to merge into request

Example

err := auth.OAuth.RevokeRefreshToken(
    ctx,
    oauth.RevokeRefreshTokenRequest{
        Token: "refresh-token-to-revoke",
    },
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("Token revoked successfully")

Pushed Authorization Request (PAR)

PushedAuthorization

Performs a Pushed Authorization Request to initiate an OAuth flow from the backend. 
func (o *OAuth) PushedAuthorization(
    ctx context.Context,
    body oauth.PushedAuthorizationRequest,
    opts ...RequestOption,
) (*oauth.PushedAuthorizationRequestResponse, error)
ctx
context.Context
required
The context for the request
body
oauth.PushedAuthorizationRequest
required
The PAR request parameters
opts
...RequestOption
Optional request options

PushedAuthorizationRequest

response_type
string
required
The response type the client expects (e.g., “code”)
redirect_uri
string
required
The URI to redirect to
scope
string
Scopes to request
audience
string
The unique identifier of the target API
nonce
string
The nonce value
response_mode
string
The response mode to use
organization
string
The organization to log into
invitation
string
The ID of an invitation to accept
connection
string
Name of the connection
code_challenge
string
Base64-encoded SHA-256 hash of the code_verifier (for PKCE)
client_id
string
Client ID (uses default if not provided)
client_secret
string
Client Secret (required)
extra_parameters
map[string]string
Extra parameters to add to request

Example

parResponse, err := auth.OAuth.PushedAuthorization(
    ctx,
    oauth.PushedAuthorizationRequest{
        ResponseType: "code",
        RedirectURI:  "https://yourapp.com/callback",
        Scope:        "openid profile email",
        Audience:     "https://api.example.com",
    },
)
if err != nil {
    log.Fatal(err)
}

fmt.Println("Request URI:", parResponse.RequestURI)
fmt.Println("Expires In:", parResponse.ExpiresIn)

// Use the request_uri in your authorize URL
authorizeURL := fmt.Sprintf(
    "https://your-domain.auth0.com/authorize?client_id=%s&request_uri=%s",
    clientID, parResponse.RequestURI,
)

Response

request_uri
string
The request URI to use in the /authorize call
expires_in
int
The number of seconds the request URI is valid for

Types

TokenSet

Response from OAuth token endpoints:
access_token
string
The access token
id_token
string
The user’s ID token (if openid scope was requested)
refresh_token
string
The refresh token (if offline_access scope was requested)
token_type
string
The type of the access token (typically “Bearer”)
expires_in
int64
The duration in seconds that the access token is valid for
scope
string
Space-separated list of scopes granted

IDTokenValidationOptions

Optional validation parameters:
max_age
time.Duration
Maximum allowed age of the authentication
nonce
string
Expected nonce value
organization
string
Expected organization ID or name

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us