Application Settings Best Practices

Here are some best practices for configuring Application Settings on the Dashboard.

Make sure to select the correct application type in your application settings to help Auth0 check for certain security risks.

Third-party applications must be created using the Auth0 Management API and have the is_first_party attribute set to false.

By default, ID tokens expire after 10 hours (36000 seconds). Once issued, an ID token cannot be revoked, so instead of longer expiration times, use a short expiration time and renew the session if the user remains active.

Do not use wildcard or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcards can make your application vulnerable to attacks.

To redirect users after logout, register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout. If you need different redirects for each application, you can add the URLs to the AllowList in your application settings.

Make sure that RS256 is the signature method for signing JSON web tokens (JWTs). The JWT signature method can be found under Applications > Settings > Advanced Settings > OAuth. See Auth0 Blog: Navigating RS256 and JWKS for more information.

(For tenants created before 27 December 2017.) If your application is not OIDC conformant, migrate your applications to be OIDC conformant. Newer tenants can only use OIDC conformant behavior.

Test by turning on the OIDC conformant toggle and testing your application.

By default, delegation is disabled for tenants without an add-on in use as of 8 June 2017. Legacy tenants who currently use an add-on that requires delegation may continue to use this feature. If delegation functionality is changed or removed from service at some point, customers who currently use it will be notified beforehand and given ample time to migrate.

If you are not using delegation, provide your application's client ID in the Allowed Apps / APIs field to restrict delegation requests.

Turn off unneeded grant types for your application to prevent someone from issuing authorization requests for unauthorized grant types.

Docs