As of June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, Auth0 is adding a layer of validation to the Authentication API. If Auth0 has detected that calls from your applications to the Authentication API may be affected by this change, we have provided deprecation notices in tenants logs and a migration flag to prepare you for this change.

Affected Endpoints

As of June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, any calls to the Authentication API endpoints below that are not properly validated will be rejected. Auth0 recommends that you take action to migrate your application domain URL or API call identifier to the same tenant well before that date. The affected endpoints are:
  • /oauth/token
  • /co/authenticate
  • /userinfo
  • /login
  • /oauth/revoke
  • /mfa/challenge
  • /p/<connection-type>/<ticket> (Enterprise connection provisioning endpoint)

Review tenant logs

First, check your tenant logs for deprecation notices to verify if you need to migrate your application.
  1. Navigate to Dashboard > Monitoring > Logs.
    1. Search the logs for type:depnote AND description:ignore*request*host*header* to find the deprecation notice regarding which applications are affected and need to be migrated. The log entry includes the ID for any impacted applications and the following message: Ignore request Host header: This feature is being deprecated. Please see https://auth0.com/docs/product-lifecycle/deprecations-and-migrations``/tenant-hostname-migration.
    2. Find the Details > Raw section of the log. There you can identify the client_id of the application to update, or the connection_id in the case of a provisioning endpoint.
      Also check the tenant_from_host field. This field contains the Auth0 tenant identified from the domain received in your API calls.
  2. Modify all applicable applications.
    1. If any misalignments of tenant and domain tenant exist, you need to modify the sent identifiers, or domain URL, along with other misconfigured request parameters.
    2. The domain tenant should match the tenant associated with the client_id or connection_id.
Once you’ve completed migrating all applicable tenants, tenant  logs will no longer show deprecation notices associated with this migration.

Verify Migration

Once you have migrated your applications and configured unvalidated hostnames, verify your changes by disabling the deprecated behavior at a time of your choosing and ahead of June 9, 2022 or September 9, 2022.
  1. Navigate to Dashboard > Tenant Settings > Advanced > Migrations.
  2. Disable the Ignore request Host header toggle**.** Deactivating this toggle enforces validation for your tenant and completes the migration.
If hostname validation does not work as expected after disabling this toggle, you will receive a 4xx error to indicate your domain tenant and tenant associated with the client_id or connection_id are not the same. Once all application migrations have been successfully performed and confirmed in production environments, then you can disable the switch permanently to ensure that the deprecated features can no longer be used. After June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, Auth0 will enforce hostname validation and  the associated switch will be removed from your tenant settings.