This document is part of the adoption guide for OIDC-conformant authentication. If you haven't already, we strongly suggest reading the introduction before reading this document.
In order to make the transition to the OIDC-conformant authentication pipeline more predictable, clients now include an option called "OIDC Conformant", available under Advanced Settings > OAuth:
The objective of this flag is to disable as many legacy features as possible, so you can run into the OIDC-conformant pipeline's breaking changes at configuration time rather than run time. Enabling this flag on a client will have the following effects:
- The following features are deprecated in favor of silent authentication:
- Refresh tokens on authentication with the implicit grant
- /ssodata endpoint and
getSSOData()method from Lock/auth0.js
- Single sign-on (SSO) can only be performed from Auth0-hosted login pages.
response_type=tokenwill only return an access token, not an ID token. Use
- ID tokens obtained with the implicit grant will be signed asymmetrically using RS256.
- The /tokeninfo endpoint is disabled.
- Responses from /userinfo will conform to the OIDC specification, similar to the contents of ID tokens
- Implicit grant authentication requests made without a
nonceparameter will be rejected.
- Refresh tokens must be used at the token endpoint instead of /delegation.
deviceparameter, originally used to obtain refresh tokens, is now considered invalid.
- The legacy resource owner endpoint is disabled.
- Passwordless authentication is implemented at this endpoint, so it will be disabled as well. Support for OIDC-conformant passwordless authentication will be added in future releases.
- The /oauth/access_token endpoint, used for social authentication from native mobile applications, is disabled. An OIDC-conformant alternative will be added in future releases.
scopeparameter of authentication requests will comply to the OIDC specification:
- Custom claims must be namespaced and added to ID tokens or access tokens via rules.
- Custom scope values can be defined by a resource server (API).
- OIDC-conformant clients cannot be the source or target client of a delegation request.
updated_atclaim is returned as a Unix timestamp instead of an ISO 8601 date string for consistency with the
I don't want to make all these changes at once!
The "OIDC Conformant" flag will force all of these changes at the same time for a given client, but it's not the only option to gradually transition to the OIDC-conformant authentication pipeline.
Any authentication requests made with an
audience parameter will use the new pipeline, and all other requests will continue to work as usual.
If your application doesn't need a resource server but you want opt-in to the new pipeline on a per-request basis, you can use the following
- Calling your APIs with Auth0 tokens
- User consent and third-party clients
- Custom user profile claims and
- Single sign-on (SSO)
- Initiating authentication flows:
- Refresh tokens
- Delegation (deprecated)
- Passwordless authentication (unsupported)
- List of breaking changes for OIDC-conformant clients