Past Migrations
These are migrations that have already been enabled for all customers. If you have any questions, create a ticket in our Support Center.
Remove Subscription Tickets access for Tenant Admins
Deprecated: June 5, 2024 End of life: August 5, 2024 Access to view Subscription Tickets within the Auth0 Support Center is changing on August 5, 2024. To retain access to view and manage all support tickets created by all users across a tenant, the new Elevated Support Access role is required.Password Reset and Email Verification Links in Tenant Logs Deprecation
Deprecated: December 7, 2023 End of life: February 5, 2024 Password reset and email verification links will no longer be logged to tenant logs. These links can be retrieved from the password reset or email verification request response.Reducing Maximum Expiration Time for Login Transactions
Deprecated: September 5, 2023 (Public Cloud), November 21, 2023 (Private Cloud) End of life: February 21, 2024 With this change, we will enforce a maximum lifetime of 1 hour for redirection-based login flows. Login flows that take longer than 1 hour to complete will expire in both Universal and Classic Login. After expiration, subsequent actions from the end user’s browser (e.g. input email/password, redirect back to Actions/Rules, etc.) will result in either:- A redirect to the associated application’s default login route to reinitiate the flow as a new login transaction, or
- An error page if the default login route is not configured.
Unregistered Scopes in Refresh Tokens Deprecation
Deprecated: July 12, 2023 End of life: January 17, 2024 We are improving scope evaluation during exchange to ensure that unregistered scopes cannot be requested. Custom scope values not registered against theaud or audience value (for an API registered in your tenant) are considered unregistered scopes.
With this change, the API scope evaluation will include any custom scopes requested during user authentication or injected through extensibility, such as Rules. This evaluation will validate that all scopes are registered, returning an error if any are not registered.
auth0-cordova, angular-auth0, and express-oauth2-bearer Repo Deprecations
Deprecated: April 27, 2023 End of life: June 30, 2023 (express-oauth2-bearer), October 27, 2023 (angular-auth0 and auth0-cordova) We have deprecated the following repos:- express-oauth2-bearer | migration guide
- angular-auth0 | migration guide
- auth0-cordova | migration guide
Actions Migration from Node.js 16 to Node.js 18
Target migration: Sept 11, 2023 As part of our mission to support every future version of LTS Node.js through Actions, and to be in line with the Node JS developer community, we are releasing Node 18 while Node 16 is still in Active LTS. We urge all customers to transition today to Node 18 and make the most of its LTS. Remember, while Node 16 LTS remains available until September, their use may involve certain risks following the conclusion of LTS and we recommend you to update to Node 18. Node.js 18 is now generally available (GA) across our entire suite of extensibility offerings. This includes Actions, Rules, Hooks, Database Scripts, and Custom Social Connections. We strongly encourage everyone to update to Node 18 by Sept 11, 2023, to adhere to best code security practices.Support for edge.js in Extensibility Features
Deprecated: December 21, 2022 End of life: June 21, 2023 After June 21, 2023, Auth0 will no longer support running .NET and C# from Node.js in Extensibility features. Auth0 previously supported a subset of the C# language to write extensibility code for Rules, Hooks, and Custom Database Scripts via a Node.js module called edge.js. Deprecating support for running .NET and C# from Node.js in Extensibility is critical to maintaining a performant and secure platform for running untrusted code. This change will allow us to continue improving our next-generation Extensibility offerings. To learn more, read Migrate from edge.js extensibility features.Support for oracledb in Extensibility Features
Deprecated: December 21, 2022 End of life: June 21, 2023 Auth0 will no longer support the auth0-claims-provider add-on for Sharepoint 2010/2013 after July 31, 2023. After June 21, 2023, Auth0 will no longer support connecting to Oracle Databases from Node.js in Extensibility features. Auth0 previously supported connecting to Oracle Databases from extensibility code for Rules, Hooks, and Custom Database Scripts via a Node.js module called oracledb. Deprecating support for connecting to Oracle Databases from Node.js in Extensibility is critical to maintaining a performant and secure platform for running untrusted code. This change will allow us to continue improving our next-generation Extensibility offerings. To learn more, read Migrate from oracledb extensibility features.Auth0 Claims Provider for SharePoint 2010 / 2013
Deprecated: January 31, 2023 End of life: July 31, 2023 Auth0 will no longer support the auth0-claims-provider add-on for Sharepoint 2010/2013 after July 31, 2023. Without this add-on, you won’t be able to use the “Sharepoint People Picker” with Auth0 connections to assign permissions to Sharepoint 2010/2013 users. You must remove any integrations with the auth0-claims-provider add-on before July 31, 2023. After that date, any remaining integrations with the auth0-claims-provider add-on will cease to function properly and may impact users of your applications.Checkpoint Pagination on Get Role Users Endpoint
Deprecated: November 9, 2022 End of life: May 9, 2023 To improve performance, the Get Role Users Management API endpoint will only return greater than 1,000 total results if the checkpoint pagination method is used. This pagination method is optimized to support large quantities of results. The offset pagination method will be capped at 1,000 results. For implementation details for the two pagination methods, read the Management API documentation for the Get Role Users endpoint.Legacy Custom Claims
Deprecated: July 28, 2022 (Public Cloud), August 31, 2022 (Private Cloud) End of life: January 30, 2023 (Public Cloud), April 18, 2023 (Private Cloud) Beginning January 30, 2023 in Public Cloud and April 18, 2023 in Private Cloud, Auth0 will allow the addition of non-namespaced custom claims to tokens using Auth0 Actions and in responses from the Authentication API/userinfo endpoint. Previously, Auth0 allowed namespaced claims on access and via extensibility code (Rules / Hooks / Actions). The migration to custom claims allows private, non-namespaced custom claims and OIDC user profile claims to be added to ; ID tokens currently support user profile claims and will additionally support private, non-namespaced custom claims. These claims will also be added to the Auth0 /userinfo response. To begin the migration, read the Custom Claims Migration Guide.
If your tenant is running extensibility code (Rules / Hooks / Actions) that tries to set non-namespaced custom claims that are being ignored until this deprecation, then those claims will begin to appear on the tokens and the /userinfo response. We recommend you review your configuration and Auth0 logs.
With the addition of non-namespaced, private claims, Auth0 is enforcing the following restrictions that could potentially affect your tenant:
- Auth0 will restrict the custom claims payload to a maximum of 100KB.
- Auth0 will restrict the customization/modification of standard claims or claims used internally by Auth0.
- In the future, Auth0 may restrict the use of other claims not included in the above list. In those cases, customers will be notified with a reasonable time to migrate.
- Auth0 will restrict the creation of private, non-namespaced custom claims on access tokens with an Auth0 , excluding the
/userinfoendpoint. - Only specified OIDC user profile claims can be added to access tokens.
- Auth0 will restrict creating a custom claim starting with a $ character.
Legacy Private Cloud Platform
Deprecated: June 13, 2022 End of life: January 31, 2023 We’re making improvements to the underlying infrastructure that supports Auth0 Private Cloud by introducing a modern Kubernetes-based technology stack, as well as database upgrades. We are currently working with all Auth0 Private Cloud customers to schedule the upgrade of their private cloud deployment to the new infrastructure stack during the course of this year, and will be discontinuing the older stack by January 31, 2023. In addition, 2205 (May 2022 release) is the last official release for the legacy Private Cloud platform. Any bugs or security vulnerabilities will be assessed and addressed in patch releases as necessary. Prior to upgrading to the new infrastructure stack, environments will need to be updated to the minimum compatible version to support the upgrade efforts. Please reach out to your Technical Account Manager with any questions.Log Extensions
Deprecated: May 4, 2022 (Public Cloud), June 9, 2022 (Private Cloud release 2205) End of life: May 2, 2023 (Public Cloud), January 6, 2023 (Private Cloud) Beginning May 4, 2022, in Public Cloud and June 9th, 2022, in Private Cloud, the following Auth0 Log Extensions will be deprecated:- Auth0 Authentication API Webhooks
- Auth0 Management API Webhooks
- Logs to Cloudwatch
- Logs to Logentries
- Logs to Loggly
- Logs to Logstash
- Logs to Papertrail
- Logs to Splunk
- Logs to Sumo Logic
- Logs to Segment
- Logs to Mixpanel
- Logs to AppInsights
- Logs to Azure Blob Storage
Tenant Hostname Validation
Deprecated: December 9, 2021 and December, 2021 (Private Cloud Release 2112.2) End of life: June 9, 2022 and September 9, 2022 (Private Cloud) As of June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, Auth0 will increase the security of API calls by adding a validation step for tenant hostnames to the Authentication API’s identification process. When a call is made, the Authentication API will validate the entity identifier (eg:client_id) of the requesting tenant as well as the tenant name in the URL domain. The tenant owning the identifier must be from the same tenant in the URL domain or the request will be rejected.
If your application or API calls any of the listed endpoints, you must configure your API calls to make sure the identifier of the requesting tenant and hostname are the same:
/oauth/token/co/authenticate/userinfo/login/oauth/revoke/mfa/challenge/p/<connection-type>/<ticket>(Enterprise connection provisioning endpoint)
Node.js 16 Migration
End of life: April 30, 2022 On 30 Apr 2022, Node.js v12 went out of long-term support (LTS), which means that the Node.js development team no longer back-ports critical security fixes to this version. This could potentially expose your extensibility code to security vulnerabilities. Therefore, Auth0 is migrating from Node 12 to Node 16. Although the Node 16 update will not introduce any breaking changes in the Node.js standard library (Rules and Custom Database Action Scripts are affected; see the Breaking changes - Rules and Custom Database Action Scripts only section), we encourage customers on Node version 12 to stay current with Active Long-Term Support (LTS) Node versions for security and compliance purposes. Customers who are still on Node 8 are out of security compliance and must migrate to Node 16 to eliminate security risks. We removed the Node 8 runtime on 22 Feb 2022 for Public Cloud tenants and removed it in the April 2022 Private Cloud release. After these dates, tenants still set to Node 8 run the risk of a service interruption.Opaque Access Token and Authorization Code Fixed Length
Deprecated: October 7, 2021 (Public Cloud), December 2021 (Private Cloud) End of life: April 12, 2022 (Public Cloud), June 30, 2022 (Private Cloud) Beginning April 12, 2022 in Public Cloud and with the December 2021 Private Cloud, access token and authorization codes will be issued with varied lengths to support OAuth specification RFC6749 to avoid clients making assumptions about authorization code and access token values. Currently, the access token and authorization code sizes are fixed. The current size of the authorization code is shorter than what some security practitioners recommend. Through this change, Auth0 provides a stronger code and token while also improving the performance of Auth0 systems. Customers with systems configured to rely on specific-sized authorization code and access token length must change from fixed-sized to variable-sized configurations before April 12, 2022 in Public Cloud or the June 30, 2022 Private Cloud release.Node.js v8 Extensibility Runtime End of Life
Deprecated: 15 April 2020 End of life: 25 February 2022 (Public Cloud), April 2022 (Private Cloud release) Beginning 13 December 2019, Node.js v8 was no longer under long-term support (LTS). This means that critical security fixes were no longer back-ported to this version. Customers who are still on Node 8 are out of security compliance and must migrate to Node 12 to eliminate security risks. To learn more about how to migrate your tenant-level Node version from 8 to 12, read Migrate from Node.js 8 to Node.js 12. Because Node.js v12 is also going out of LTS in 2022, we also highly encourage all customers using Rules and Hooks to migrate to Actions using Node 16 as soon as possible, and before Node 12 support expires formally from the Node.js community on 30 April 2022. To learn more about required migration steps, read Migrate Rules and Hooks to Actions.Legacy Network Edge Deprecation
Deprecated: 05 May 2021 (Public Cloud) End of life: 03 November 2021 (Public Cloud) Auth0 legacy network edge will cease to function on Public Cloud. After 03 November 2021, Public Cloud tenants who have not completed a migration to the new Auth0 network edge will no longer receive traffic. All new are automatically created on the new network edge.Unpaginated Management API v2 Request deprecation
Deprecated: 21 July 2020 (Public Cloud) End of life: 26 January 2021 (Public Cloud), February 2022 (Private Cloud release) After 26 January 2021, requests to the following Management API v2 endpoints will return a maximum of 50 items for Public Cloud tenants. To retrieve more items, you must includepage and per_page parameters. Beginning on 21 July 2020, Auth0 will display tenant logs and a migration toggle to help you prepare for this change.
GET /api/v2/clientsGET /api/v2/client-grantsGET /api/v2/grantsGET /api/v2/connectionsGET /api/v2/device-crecentials(when thetypequery parameter is used)GET /api/v2/resource-serversGET /api/v2/rules
per_page parameter for queries that can return more than 1 result. Tenants are not affected if they are created after 21 July 2020, are not using the affected endpoints, are using the affected endpoints and passing the per_page parameter, or are making queries that always return only 1 result. To learn more, read Migrate to Management API v2 Endpoint Paginated Queries.
Private Cloud Custom Domain Deprecation
Deprecated: 17 June 2021 End of life: 20 December 2021 To achieve consistency across all Auth0 deployments and focus on enhancing the Auth0 Custom Domain feature, we are discontinuing the Private Cloud Custom Domain capability on December 20, 2021. Consistency enables us to enhance the feature and fix reliability issues faster, improving operational efficiency and enabling customers to get value out of custom domains more quickly. To learn more about migration to Auth0 Custom Domains, read Migrate Private Cloud Custom Domains.Logout Redirect Validation
Deprecated: 25 May 2021 End of life: 01 December 2021 On 01 December 2021, the logout behavior will change to always redirect users to the URI passed to the Auth0 logout APIs instead of using thereturnTo query parameter passed by to /login/callback during the execution of the logout. If Auth0 does not have a record of a preceding call to one of these APIs, logout will complete, but redirection will not occur and an error page will be displayed to end users. To learn more, read Logout Redirects Migration Guide.
Application Admin Dashboard Role deprecation
Deprecated: 01 February 2021 End of life: 30 September 2021 (Public Cloud), September 2021 (Private Cloud monthly release) Auth0 is changing the role-based access control to the Dashboard. The Application Administrator role as defined today is being deprecated. After 01 February 2021, administrators won’t be able to invite members with the deprecated Application Administrator role. Existing application-specific administrators will continue to be able to use the Dashboard with the existing permission set until the end of life date. A new set of Dashboard roles is available for improved and more secure collaboration among team members, including viewer and editor roles with limited access. A new Editor - Specific Apps role replaces the previous Application Administrator role for subscription plans where editor roles are supported. Your tenants will be affected by this deprecation if the following criteria are met:- Created before 01 February 2021
- Have at least one tenant member with the Application Admin role
- Haven’t opted-in to the Dashboard roles feature preview
Legacy TLS Deprecation
Deprecated: 19 January 2021 End of life: 10 May 2021 (Public Cloud), June Private Cloud Release (v2106) As of 10 May 2021 for Public Cloud and the June Private Cloud Release (v2106), the Auth0 network edge will no longer accept TLS 1.0 or TLS 1.1 traffic. These legacy protocols are insecure, with well-known weaknesses and vulnerabilities within the industry. For maximum security, all Auth0 clients must upgrade to TLS 1.2 or later. The exact details and steps required will vary, depending on your application. To learn more, read Upgrade to TLS 1.2, what action to take? posted in the Auth0 Community.Auth0-analytics.js deprecation
Deprecation: January 2018 End of life: January 2021 Auth0 has deprecated the use of the auth0-analytics.js library that adds Facebook and Google Analytics integration with Lock. It listens for events in Lock and passes them to the Auth0-tag-manager.js library. It may still function in some legacy cases. This library is no longer maintained. You may need to write custom code to use auth0-tag-manage.js to manage proxy requests to third-party analytics libraries such as Facebook, X, and Google.Device credential metadata without user_id deprecation
Deprecated: 31 August 2020 End of life: 17 December 2020 Auth0 now requires that you provide theuser_id when you use the GET /api/v2/device-credentials endpoint. If your request does not provide a user_id, it will return a 400 status code. Check the depnote in your tenant logs to see if you are affected by this deprecation. To learn more, read Check Deprecation Errors.
Auth0 has identified tenants affected by this deprecation and contacted the administrators for those tenants. If your tenant is currently making requests without a user_id, you should make the change as soon as possible.
Azure AD/ADFS email verification deprecation
Deprecated:- Public Cloud: 18 November 2020
- Private Cloud: 01 December 2020
- Public Cloud: 18 May 2021
- Private Cloud: June Private Cloud Release (v2106)
email_verified field to true in Azure AD and ADFS connections. If you used Azure AD/ADFS connections before this deprecation date, you have a tenant setting that overrides the connection setting for email verification and keeps the previous behavior.
On 18 May 2021 in Public Cloud and the June Private Cloud Release (v2106), Auth0 begins using the connection-level property for all Azure AD/ADFS connections. You should make sure all your connections are configured properly before that date. To learn more, read Email Verification for Azure AD and ADFS.
sameSite cookie attribute changes
Effective: February 2020 Google Chrome v80 is changing the way it handles cookies. To that end, Auth0 will implement the following changes in the way it handles cookies:- Cookies without the
samesiteattribute set will be set tolax - Cookies with
sameSite=nonemust be secured, otherwise they cannot be saved in the browser’s cookie jar
User Search v2 deprecation
Deprecated: 10 November 2018 End of life: 30 June 2019 (Public Cloud), May 2021 (Private Cloud monthly release) For Public Cloud, User Search v2 was deprecated and you should have taken action before 30 June 2019. Notifications were sent to customers that need to complete this migration. For Private Cloud, User Search v1 and v2 endpoints will be no longer be available after the May Private Cloud monthly release and have been replaced with the new User Search v3 endpoint.Passwordless Endpoint from Confidential Applications deprecation
Auth0 has deprecated the use of the/passwordless/start endpoint from confidential applications when Auth0 cannot authenticate that the call is made on behalf of the application. To learn more, read Migrate to Passwordless Endpoint from Confidential Applications.Clickjacking Protection for changes
To prevent clickjacking, in cases where you render your login page in an iframe, Auth0 has added an opt-in to add headers which we strongly recommend you enable. For details, see Clickjacking Protection for Universal Login Change.
Management API endpoints using ID token credentials deprecation
Deprecation: 31 March 2018 End of life: TBD Auth0 is deprecating the use of ID tokens as credentials to call some of the users and device endpoints and replacing it with the use of access tokens instead. For details, see Migrate to Management API Endpoints with Access Tokens and Migrate to Link User Accounts with Access Tokens.Resource Owner Password /oauth/ro deprecation
Deprecation: 08 July 2017 End of life: TBD As of 08 July 2017 Auth0 has deprecated the/oauth/ro endpoint for both password and connections. You can now implement the same functionality using the /oauth/token endpoint. To learn more, read Resource Owner Password Flow Migration.
Management API v1 deprecation
Deprecation: October 2016 End of life:- Public Cloud: 13 July 2020
- Private Cloud: November 2020 monthly release
Instagram connection deprecation
Deprecated: 05 March 2020 End of life: 31 March 2020 Facebook announced that on 31 March 2020 that they will turn off the Instagram legacy APIs, and they won’t provide an alternative to implement login with Instagram. For details, see Instagram Connection Deprecation.Yahoo API changes
Deprecated: 01 March 2020 End of life: 01 March 2020 Yahoo changed the way to retrieve the user profile and the information included in it. For details, see Yahoo API Changes.Google Cloud Messaging deprecation
Deprecation: 11 April 2019 End of life: 11 April 2019 As of 11 April 2019, Google deprecated and replaced Google Cloud Messaging (GCM) with Firebase Cloud Messaging (FCM). For details, see Google to Firebase Cloud Messaging Migration.Facebook Social Context field deprecation
Deprecation: 30 April 2019 End of life: 30 July 2019 On 30 April 2019, Facebook deprecated the use of the Social Context field for new applications. For details, see Facebook Social Context Field Deprecation.Facebook Graph API changes
Deprecation: 01 August 2018 End of life: Graph API v3 released 08 January 2019 As of 01 August 2018, Facebook has changed the Facebook Graph API permissions and fields that can be requested. Auth0 has updated Facebook Connections to reflect these changes and modified the connection interface for clarity. See Facebook Login Changelog: Recent Changes to Facebook Login for complete details and key dates. For details, see Facebook Graph API Changes.Lock v11 and Auth0.js v9
We are continually improving the security of our service. As part of this effort, we have deprecated the Legacy Lock API, which consists of the/usernamepassword/login and /ssodata endpoints. These endpoints are used by Lock.js v8, v9, and v10 and Auth0.js, v6, v7, and v8, and can also be called directly from applications.
As of August 6, 2018, Auth0 has permanently disabled the Legacy Lock API. This removal of service fully mitigates the CSRF vulnerability disclosed in April 2018. This also ends the soft removal grace period that was first announced on 16 July 2018, meaning the Legacy Lock API can no longer be re-enabled.
If your Legacy Lock API migration has not yet been completed, your users may experience an outage, failed logins, or other adverse effects. You will need to complete your migration in order to restore normal functionality. Check deprecation errors to identify the source(s) of any errors in your tenant logs related to deprecations.
Features affected
If you are currently implementing login in your application with Lock v8, v9, or v10, or Auth0.js v6, v7, or v8, you are affected by these changes. Additionally, you are affected if your application calls the/usernamepassword/login or /ssodata endpoints directly via the API.
We recommend that applications using Universal Login update the library versions they use inside of the login page.
However, those who are using Lock or Auth0.js embedded within their applications, or are calling the affected API endpoints directly, are required to update, and applications which still use deprecated endpoints will cease to function properly after the removal of service date.
Libraries and SDKs not explicitly named here are not affected by this migration.
Tenant Log Search v2 deprecation
Deprecation: 21 May 2019 End of life:- Free: 09 July 2019
- Essential (former Developer): 20 August 2019
- Professional (former Developer Pro): 20 August 2019
- Enterprise: 04 November 2019
New IP addresses for Allowlisting in Australia
As of 30 September 2017, Auth0 updated its cloud environments and traffic from Australia originates from new IP addresses. If you are allowlisting IP addresses, you will need to add the new addresses to your firewall rules.Features affected
If you are using a custom database connection, rule, and/or custom email provider that connects to your environment, and you have implemented firewall restrictions for IP address ranges, then you are affected by this change. You will need to make sure the following IP addresses are allowed to go through your firewall:13.55.232.24, 13.54.254.182, 13.210.52.131, 52.62.91.160, 52.63.36.78, 52.64.84.177, 52.64.111.197, 52.64.120.184, 54.66.205.24, 54.79.46.4, 54.153.131.0
New IP addresses for allowlisting in Europe
As of 30 September 2017, Auth0 updated its cloud environments and traffic from Europe originates from new IP addresses. If you are allowlisting IP addresses, you will need to add the new addresses to your firewall rules.Features affected
If you are using a custom database connection, rule, and/or custom email provider that connects to your environment, and you have implemented firewall restrictions for IP address ranges, then you are affected by this change. You will need to make sure the following IP addresses are allowed to go through your firewall:34.253.4.94, 35.156.51.163, 35.157.221.52, 52.16.193.66, 52.16.224.164, 52.28.45.240, 52.28.56.226, 52.28.184.187, 52.28.212.16, 52.29.176.99, 52.50.106.250, 52.57.230.214, 52.211.56.181, 52.213.216.142, 52.213.38.246, 52.213.74.69
CDN provider migration in the Europe and Australia environments
As of 12 July 2017, Auth0 has improved the Auth0 CDN scaling and availability. We now use Amazon CloudFront. We have already made this change in the US environment, and are now ready to do so in Europe and Australia.Features affected
You are affected if you use Lock (hosted by our CDN) in Europe or Australia. This change shouldn’t cause any disruption or change in behavior in your applications, so you don’t have to do anything. This notification is for information only.Password and refresh token exchange rules migration
On 31 May 2017, as part of Auth0’s efforts to improve security, we added the ability to execute rules during the Password Grant exchange (the password exchange) and the refresh token exchange.Features affected
You are using this feature if you are calling the/oauth/token endpoint of our Authentication API with grant_type = "password" , grant_type = "http://auth0.com/oauth/grant-type/password-realm", or grant_type = "refresh_token".
You could be impacted if you are currently using these exchanges and have rules defined in Dashboard. In order to ensure a smooth transition, we have disabled the rules execution on these specific exchanges for your tenant. These rules will now execute for all new customers, as well as customers who have not yet used these exchanges.
You can add logic to your rules to alter their behavior for these exchanges by checking the context.protocol property:
oauth2-passwordindicates the password (and password-realm) exchangeoauth2-refresh-tokenindicates the Refresh Token exchange
Account linking removal
On 01 March 2017, as part of Auth0’s efforts to improve security and standards compliance, we stopped supporting account linking as part of the authorization callback (that is, accepting an access token as part of the authorize call).Features affected
If you received an email notification about it, then you are impacted by this change. As you work to update your applications to use the Management API to link accounts, you can check if you are still impacted, by checking your tenant logs for warnings. These entries will be logged if you are sending an Access Token in your authorize calls.Allowlist IP address ranges
As of 20 February 2017, Auth0 expanded into new US regions and traffic originating from these regions will have new IP addresses. If you allowlist IP addresses you will need to add the new addresses to your firewall rules.Features affected
If you are using a custom database connection, rule, and/or custom email provider that connects to your environment, and you have implemented firewall restrictions for IP address ranges, then you are affected by this change. You will need to add the following IP addresses to your firewall rules:138.91.154.99, 54.183.64.135, 54.67.77.38, 54.67.15.170,54.183.204.205, 54.173.21.107, 54.85.173.28, 35.167.74.121, 35.160.3.103,35.166.202.113, 52.14.40.253,52.14.38.78, 52.14.17.114, 52.71.209.77, 34.195.142.251, 52.200.94.42
Vulnerable password flow
Prior to 01 February 2017, Auth0’s password reset flow allowed a user to enter their email and a new password. This triggered a confirmation email that to be sent to the user asking them to confirm that they requested a password reset.Features affected
The issue is that the confirmation link could be inadvertently clicked by a user which would result in the user’s password being changed by an attacker. Lock version 9 and above uses the new password reset flow exclusively. Lock 8 and below does not handle the new password reset flow. We strongly recommend upgrading to Lock 9 or greater as soon as possible.Even if you are not using Lock, the vulnerable reset flow can be accessed directly through the API. (See the /dbconnections/change_password endpoint for details.) Auth0 strongly encourages you to change any app using the current flow to move immediately to the new reset flow and enable this migration.
State parameter required on redirect from rule
As of 06 December 2016, when a redirect is done from an Auth0 rule, Auth0 generates and sends a state parameter in HTTP and check for a valid state parameter when flow returns to the/continue endpoint. The site to which the redirect goes has to capture the value of the state parameter and return it by adding it as a parameter when returning to the /continue endpoint.
Features affected
You are affected by the change only if you redirect from rules, and do not yet capture and return (to the /continue end point) the state parameter.Delete all users endpoint change
Prior to 13 September 2016, the previous endpoint for deleting all users wasDELETE /api/v2/users. This is similar to the endpoint to delete one user: DELETE /api/v2/users. To prevent accidental requests to the delete all users endpoint, the url has been changed to DELETE /api/v2/allusers. This should ensure that only intentional calls to this endpoint get made.
Features affected
You are affected by the change only if you currently make use of the delete all users endpoint. If so, the only change you need to make is to change the URL as explained above.Email delivery template customization changes
As of 29 August 2016, Auth0’s built-in email provider is longer be supported for use in a production environment. The emails sent using the Auth0 provider will no longer be customizable. They will be restricted to the template and you will not be able to change the from address or subject line. The built-in email service may still be used for test purposes but you must switch to an Auth0-supported third-party service (Amazon SES, Mandrill, SendGrid) or another SMTP-based provider before moving your apps to production. If you already use a custom email provider, no action is necessary.Identity provider access tokens removed from user profile and ID token
As of 08 August 2016, the format of the user profile JSON object (ID token) that is returned by Auth0 Authentication APIs changed to remove the identity provider access token and included in the user profileidentities array.
To obtain a user’s identity provider access token, you will need to make an HTTP GET call to the /api/v2/users/{user-id} endpoint containing an API token generated with read:user_idp_tokens scope. You will still have access to the identity provider access token in the user argument in Auth0 rules.
Features affected
You are affected by the change only if you are using the Identity Provider Access Token (identities[0].access_token in the user profile) outside of rules to call other services from the Identity Provider (such as Facebook Graph API, Google APIs, etc.). If your tenant was created after the change the update will be done automatically.
Tokeninfo endpoint validation
As of 01 June 2016, when calling the Tokeninfo endpoint, the URL of the API call (for examplehttps://{yourDomain}/) must match the value of the iss attribute of the ID Token being validated. If these values do not match, the response will be HTTP 400 - Bad Request.
Features affected
If you are calling the Tokeninfo endpoint directly, make sure that the value of theiss attribute of the ID Token being validated matches your Auth0 tenant namespace: https://{yourDomain}/. You can use jwt.io to decode the token to confirm the iss attribute value.
Email delivery from address changes
On 27 April 2016, Auth0’s built-in email provider started sending all emails from a predefined from address (no-reply@auth0user.net). Custom Email Providers are now free. To customize the “from” address, you can switch to an Auth0-supported third-party service (Amazon SES, Mandrill, SendGrid) or another SMTP-based provider. If you already use a custom email provider, nothing will change.
Patch and Post endpoints no longer accept secret_encoded flag
Thejwt_configuration.secret_encoded configuration is no longer accepted by the PATCH and POST applications endpoints.
In order to further comply with the OIDC specification, Auth0 will no longer generate or accept base64 encoded application secrets for new applications.
Existing applications with encoded secrets stored will remain intact and unchanged, but new applications will no longer use base64 encoding. The secret_encoded flag is no longer accepted or necessary, as a result.