Auth0 Appliance Release Notes

Get the latest updates in Auth0

See old releases

2019-01-15: Auth0 1901.0 (17953.180)

Bug Fix

  • Fixed an issue in MFA that was remembering browser status under an invalid key of the MFA session when using provider = 'any'

  • Updated Auth0 Lock widget version in the default custom hosted login page template from 11.3 to 11.11

  • Fixed a memory leak in the Hosted Pages caused by tenants with a larger number of clients.

  • Fixed active users by tenant calculation.

  • Fixed a bug that prevented users from making modification to sms passwordless templates.

  • Fixed a bug that resulted in a "Client not found" error when attempting to initiate Single Sign On with WSFED.

  • Fixed a UI bug that cause a flickering effect in the dashboard heatmap.

  • Fixed id for users using Paypal connections.

  • Fixed a bug that prevented enabling "Use Common Endpoint" in Azure AD connections

  • Fixed MFA switch in Firefox.

  • Fixed a bug that failed to return the auth_time after the user requested a new token.


  • A proper error message is displayed when trying to enroll an user to MFA that's already enrolled

  • A confirmation is required in the dashboard when disabling MFA for all applications.

  • When a user tries to log into Docs users without a tenant are now redirected to the tenant creation page.

  • Auth0 API's, such as the Management API, will no longer allow dashboard admins to remove scopes.

  • Improve the validation of signed requests to prevent sending invalid data to DUO.

  • When calling /authorize with an invalid response_type the user will be redirected to redirect_uri if provided.

  • Prevent using TLS when the email server offers it if TLS is disabled in default email provider

  • Added publish_actions to Deprecated Permissions Area for Facebook Connection in the Dashboard.

  • Tenant name will be used as default friendly name in SMS multi factor authentication.

  • Removed documentation site from instances' health status so the nodes will not be removed from load balancer rotation when core services work.


  • New Feature: Added a new Unified MFA dashboard to improve the user experience for configuring MFA.

  • New Feature: Web Origins can now be queried from applications in Management API.

  • New Feature: Support for specifying the default tenant or application login page. Additionally, users will be now able to bookmark the login page.

2019-01-15: Auth0 1812.1 (17740.183)

Bug Fix

  • Fixed an issue that caused Auth0 to use TLS when connecting to SMTP server even when disabled in the configuration settings.

  • Fixed active users by tenant calculation.

2018-12-11: Auth0 1812.0 (17740.177)


  • Removed usernameProperty form the Management API and MFA API's DUO configurations.

Bug Fix

  • Fixed an issue when a user logs in using /co/authenticate and then /authorize with a login ticket, for the first transaction the scoa event will be created in the tenant logs, however, on the second transaction (/authorize?prompt=none), the scoa event was logged erroneously instead of the ssa event indicating silent authentication.

  • Fixed the CPU endpoint that erroneously calculated CPU by including non-CPU blocking processes when determining utilization percentages.

  • Fixed an issue when erroneously displaying an expired trial message on child tenants.

  • Fixed an issue where client_id and connection parameters were missing from a custom error page.

  • Fixed an issue where the Management API v2 token issued for rules does not have an audience on SAML or WSFED.

  • Added new parameter called supress_tenant_log to prevent duplicate logs from appearing for the user.

  • Fixed an issue when Client Credentials Exchange Hook when using the Basic Auth Strategy that cause the IP address to be missing from the context argument.

  • Fixed a wrong link to MFA from the MFA settings page.

  • Fixed a rendering issue when displaying blocked users messages in some devices.

  • Fixed an issue causing mfa-api to return a 404 response when the tenant was not configured to use the MFA API.

  • Fixed and uncaught error in auth0-server when parsing JSON for Windows Azure Active Directory connection.

  • Fixed an issue preventing the import users summary emails from being sent.

  • Fixed a race condition in auth0-server's shutdown code that may prevent a graceful shutdown of the service.

  • Fixed a bug in the Backup CLI (a0cli) that created an encrypted backup without using --password argument.

  • Fixed a race condition on Webtasks startup that caused High CPU usage after reboots.


  • Update auth0-server to use the DUO push configuration stored in MFA API in addition to configuring MFA with a rule.

  • Prevents in process requests from terminating when an uncaught exception causes the auth0-server service to restart.

  • Added support, in Docs, for tenants without region and removed a user session on an invalid login request.

  • Upgraded Telegraf instrumentation agent to version 1.9.0.

  • Update the POST /api/v2/users endpoint to allow the creation of blocked users.

  • Decreases the frequency of Active Directory connection checks and prevent checks from running at the same time for multiple Active Directory clients.

  • Updated GeoIP database to current as of December 4, 2018.

  • Updated Webtask images to latest as of December 4, 2018.

  • Updated the Hosted Login Templates to use Lock version 11.11.

  • Standardized some language and fixed some typos in the Manage Dashboard.

  • Updated the on-boarding widget to render client side instead of server side.

  • Increased the number of emails that can to be sent PSaaS deployments from 10 per minute to a 100 per second.

  • Minor performance enhancement when performing concurrent authentication requests.

  • Added ability to monitor X.509 certificates when instrumentation is enabled.

  • Removed duplicate Elasticsearch operating system stats already captured by Telegraf operating system inputs.

  • When instrumentation is enabled instrumentation data will be written to a flat file on each node.


  • New Feature Introduced a new parameter (mark_email_as_verified and markEmailAsVerified, respectively, with default value false ) to allow tenant admins define if user.email_verified should be set to true after ticket is consumed.


  • Fixed an issue where email_verified was set to true without properly verifying email ownership.

  • Fixed a potential Prototype Pollution vulnerability in auth0-server.

  • Fixed an issue that allowed a user to get the original phone number that is not masked in the response from the server when username and password was provided in advance.

  • Fixed a potential XSS vulnerability on the Reset Password template.

  • Fixed a potential SSRF vulnerability when previewing the Hosted Login Page.

2019-01-15: Auth0 1811.1 (17493.184)

Bug Fix

  • Fixed an issue that caused Auth0 to use TLS when connecting to SMTP server even when disabled in the configuration settings.

  • Fixed active users by tenant calculation.

2018-11-13: Auth0 1811.0 (17493.168)


  • Disabled the Legacy Account Linking functionality by default.

Bug Fix

  • Fixed an uncaught exception during a SAML logout with a missing client.

  • Fixed the MFA API's deleting friendly_name, picture, picture_url, and guardian_mfa_page properties if they are not explicitly set in the when calling the PATCH /tenant/settings endpoint.

  • Handled an uncaught exception when performing a google-oauth2 flow when the Google certificate endpoint fails.

  • Fixed a slow memory leak when calling the /well-known/jwks.json and when auth0-server issues RS256 tokens.

  • Fixed the MFA and Guardian rule templates. Some of the rules templates were under the wrong category.

  • Fixed an issue causing an auth0-server worker to exit unexpectedly.

  • Handled uncaught exception that could result in emails getting lost silently.

  • Fixed an uncaught exception when a malformed template had the @@ @@ blocks improperly wrapped.

  • Fixed an issue with linked accounts that prevented changing the email address on a secondary identity.

  • Fixed an incorrect URL for API calls in the Management API docs when the user was not logged in.


  • Improved passwordless connection forms when not using custom email provider.

  • Added login-test-tenant to tenant blacklist to prevent new tenants from using this name.

  • Performance improvements to the /api/v2/users/{id} endpoint.

  • Changed SMTP Password input type from text to password in emails providers.

  • Added note that you need the toggle enabled for verification email template on Management API docs.

  • Improved Nginx logs and added log rotation.

  • Removed refresh_token from client credentials requests.

  • Confirmed MFA API authenticator when verifying Google Authenticator OTP.

  • Added improved deprecation logs API1.

  • Added an alert (similar to the alert for weak passwords in user creation) that will show errors generated from the API (such as those for weak passwords).

  • Updated MFA widget to allow the auto-advances Recovery Code if the first SMS enrollment code is invalid.

  • Allowed verification using guardian enrollments on /oauth/token with google-authenticator.

  • Added pagination to the tenants list on the configuration page to allow viewing more than 100 tenants.

  • Included client information to Management API when the request is performed by Auth0 services.

  • Added same user login limit to Resource Owner Password Credentials endpoint.

  • Improved the suggestion links to application on top bar search box.

  • Added the ability to trace the code calls process.exit.

  • Updated the Nodes view in the configuration dashboard so that it does not truncate long IP addresses.

  • Updated the Auth0 Appliance CLI's export user functionality to optionally include tenant name of each user.

  • Updated Elasticsearch tooling to avoid using persistent SSH credentials.

  • Updated Webtask images to latest as of October 16, 2018.

  • Updated GeoIP database to current as of November 6th.

  • Adjusted client/auth0_users timeouts to work with custom db connections.

  • Supported setting provider to any for MFA rules.

  • Used a refill rate of 1/min for change_password as default.


  • New Feature: Users can now specify client_metadata to the allowed values for GET /clients.

  • New Feature: Length based password policy.


  • Preventing malicious requests from crashing auth0-server.

  • Fixes server-side request forgery (SSRF) vulnerability in the Dashboard.