When you design the login experience for your application, you’ll need to decide if you want it to be hosted (Universal Login) or embedded.

Hosted login

In a hosted login flow, the application redirects the user to the to perform authentication, and then the authorization server returns the user to the application.

Universal Login flow

In the typical user authentication experience with :
  1. Your application triggers an authentication request by invoking an Auth0 SDK’s login method or by calling the Auth0 Authentication API Login endpoint directly.
  2. Your application redirects the user to the Auth0 authorization server (your Auth0 tenant).
  3. Auth0 checks for a session cookie on the Auth0 Session Layer.
    • If a session cookie is not found, Auth0 redirects the user to Universal Login to authenticate and creates an associated session cookie.
    • If a session cookie is found, Auth0 uses it to authenticate the user.
  4. Auth0 returns the user to your application with an ID token and an access token.

Embedded login

In an embedded login flow, the user authenticates directly within your application. The application serves the login form, collects the user’s credentials, sends that data to the authentication provider, and then receives a response with the user’s and . For web applications, embedded login uses cross-origin authentication unless you configure a custom domain for your Auth0 tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.

Feature comparison

FeatureHostedEmbedded
Single Sign-onFull support with Universal Login through the use of session cookies on the Auth0 Authorization Server (your Auth0 tenant).Limited support. Web applications that use the Lock or Auth0.js libraries can share sessions. Native applications can share sessions with web applications through Native to Web SSO.
CustomizationUniversal Login allows you to easily customize many parts of the experience (including theming, page templates, text elements, and prompts).

Full customization is supported through Advanced Customizations for Universal Login.		Highest degree of customization, since you fully control the UI/UX of your application.
Feature managementFeatures can be centrally managed within the Auth0 Dashboard or through the Auth0 Management API.

For example, when you enable/disable MFA in your Dashboard, it will be immediately reflected in subsequent user logins.		Features must be managed for each application individually.

For example, if you wanted to implement MFA for your web application and for your native application, you’d have to update and release new versions for both.
User experienceUsers are redirected between your application and the Auth0 Authorization Server during authentication.

For native applications, this requires implementation of universal/deep links.		Users remain in your application during authentication.
Security and maintenanceAuth0 monitors security trends and updates Universal Login accordingly.You are responsible for following security best practices and implementing provided technologies accordingly.

Best practice

According to RFC 8252: OAuth 2.0 for Native Apps on IETF, only external user-agents (such as the browser) should be used by native applications for authentication flows.

Learn more