Tenant Check (B2C)
This section covers a list of configurations to check in your tenant. This should be done periodically during development and sufficiently before launch so you have time to fix anything amiss.
General tenant check
Tenant preparation check
Check to ensure you have set up tenant environments to support your SDLC lifecycle and that Dev, Test and Prod tenants are cleanly separated so that ongoing development work after launch doesn’t negatively impact your production environment.
Every company has some form of Software Development Life Cycle (SDLC), and throughout the development process you will want to align with that strategy. For instance, you need to be able to test your integration with Auth0 in a similar fashion as you test the applications themselves. It is therefore important to structure Auth0 tenants to support your SDLC, and there is a consistent pattern which our customers typically follow when it comes to the best practices associated with tenant layout for doing so:
|Environment||Sample Tenant Name||Description|
|Development||company-dev||A shared environment where most of your development work occurs|
|QA/Testing||company-qa or company-uat||An environment for formal testing of the changes you've made|
|Production||company-prod||The production tenant|
In some cases you may also want to create one or more sandboxes (e.g., company-sandbox1, company-sandbox2) so that you can test changes without compromising your development environment. This might be where you test deployment scripts and the like.
You can also take advantage of our Implementation Checklists that you can download and customize to meet your implementation project needs.
Tenant association check
To ensure that your tenants are all associated with your Auth0 contractual agreement and have the same features, ensure all your tenants are associated with your company account. If you have individual developers that want to create their own sandboxes for testing, make sure they get associated with your account so they have the same permissions too. To do this you should contact your Auth0 representative or the Auth0 Support Center.
Specify production tenant
To ensure Auth0 recognizes your production tenant, be sure to set your production tenant with the “production” flag in the Support Center.
Tenant production check
Auth0 provides a Production Check facility to detect many common errors. You should ensure this has been run and any findings from the report mitigated before launch.
In addition, you should check the best practice configurations advice, for which checking cannot be automated.
Tenant settings check
Make sure to follow the Auth0 tenant settings recommendations in configuring your branding as well as your support email and support URL so users know how to get help if an issue occurs. You'll want to check your SSO Session Timeout settings and the list of dashboard admins with access to your production tenant as well.
Error page customization
If there are issues encountered during user interactive workflow (e.g. user sign up or login), Auth0 provides error messages that indicate what the problem is under the hood. The default messages are somewhat cryptic, especially to the end user, since they will likely be missing context that only you can supply. As such, we recommend customizing your error pages to provide the missing context-specific information directly to your users. Furthermore, customizing your error pages allows you to display your branding, not Auth0's, as well as provide useful information to your users as to what should be done next. This information might include a link to a FAQ or how to get in touch with your company's support team or help desk.
Out-of-the-box there is no user interface for customizing Auth0 provided error pages, but you can use the Tenant Settings endpoint of the Management API to configure them. Alternatively, if you can create and host your own error page, then you can have Auth0 direct users to that page instead of using the Auth0-hosted option.
Legacy feature flags off
If you have an older tenant, you may have various legacy feature flags enabled in your tenant settings advanced tab. If you have any toggles on in the “Migrations” section of this tab, you should review your usage and make plans to migrate off the legacy feature.
Delegated admin extension
While you are checking the list of users with access to your production tenant, don't forget to check any users specified in the Delegated Admin Extension.
Custom Domain Naming set up
By default, the URL associated with your tenant will include its name and possibly a region-specific identifier. For example, tenants based in the US have the a URL similar to
https://example.auth0.com while those based in Europe have something that is of the fashion
https://example.eu.auth0.com. A Custom Domain offers a way of providing your users with a consistent experience by using a name that’s consistent with your organization's brand.
In addition, Custom Domain functionality offers you complete control over the certificate management process. By default, Auth0 provides standard SSL certificates, but if you configure a custom domain, you can use Extended Validation (EV) SSL certificates or similar to provide the visual, browser-based cues that offer your visitors additional peace of mind.
In general, we see customers having the most success when they use a centralized domain for authentication - this is especially the case if the company offers multiple products or service brands. By using a centralized domain, you can provide end users with a consistent user experience while also minimizing the need to maintain multiple production tenants in Auth0.
Application and Connection settings check
Each of your connection settings should be reviewed against the connection configuration best practices.
In addition, you should review that all connections are appropriate and that no experimental connections are left in your production tenant as they could enable unauthorized access.
If you use SAML connections, it is a best practice to configure the connections to sign SAML requests.
Page customization check
If you use the Auth0 universal login page, password reset page, or Guardian multi-factor authentication, you should check that you have adequately customized the pages displayed to the end user.
Universal Login Page
Universal Login is the recommended method for authenticating users, and it centers around use of the Login page. You can customize the Login page to support your organization's branding requirements.
Password reset page
The Password Reset page is used whenever a user takes advantage of password change functionality and, as with the login page, you can customize it to reflect your organization's particular branding requirements.
The Multi-factor Authentication pages can be customized by adjusting the Universal Login branding options in the Universal Login Settings section.
If you need further customization, you can also customize the full HTML content to reflect your organization's particular UX requirements.
If you are using Auth0’s authorization feature, be sure to double check all privileges granted to ensure authorizations are appropriate for your production environment.
API configuration check
Access token expiration
You should double check the API access token expiration settings to ensure they are appropriate for each API in your production environment.
API offline access
If your application does not request refresh tokens, this should be off.
Access token signing algorithm
It is recommended that the API access token signing algorithm be set to RS256 rather than HS256 to minimize exposure of the signing key.
API Access token validation
If you have any custom APIs, be sure to check that they are adequately validating the access tokens they receive before using the information in them.
If you have applications making machine-to-machine calls to any of your APIs, you should review the scopes specified for the API to ensure they are all appropriate for your production environment. For further information see the documentation on client credentials grant.
You should also have aligned your rules with Auth0 rules best practices.
Email templates customized
Auth0 makes extensive use of email to provide both user notifications and to drive the functionality needed for secure identity management (for example, email verification, account recovery, and brute force protections), and Auth0 provides a number of templates for these.
Out of the box, the email templates used contain standard verbiage and Auth0 branding. However, you can configure almost every aspect of these templates to reflect the verbiage and user experience you want and make changes to things like the preferred language, accessibility options, and so forth.
Email templates are customized using Liquid syntax. If you are interested in customizing your templates based on user preferences, you will also have access to the metadata located in users' profiles, as well as any specific application metadata too.
Attack protection configured
The reason that authentication systems are important is to prevent bad actors from accessing applications and user data that they should not. We want to place as many barriers as possible between those bad actors and access to our systems. One of the easiest ways to do this is to ensure that your attack protection with Auth0 is configured correctly, so take a moment to read the guidance on this subject and ensure that it's working correctly for you.
Project Planning Guide
We provide planning guidance in PDF format that you can download and refer to for details about our recommended strategies.