Application Settings Best Practices
Here are some best practices for configuring Application Settings on the Dashboard.
Application type
Make sure to select the correct application type in your application settings to help Auth0 check for certain security risks.
Third-party applications
Third-party applications must be created using the Auth0 Management API and have the is_first_party
attribute set to false
.
ID token expiration
By default, ID tokens expire after 10 hours (36000 seconds). Once issued, an ID token cannot be revoked, so instead of longer expiration times, use a short expiration time and renew the session if the user remains active.
Placeholders and localhost URLs
If you are using the Organizations feature, for production applications, you can use {org_name}
as a placeholder to dynamically specify a registered organization’s name in a URL (https://{org_name}.exampleco.com
). URLs with the {org_name}
placeholder should only be used on domains that you fully control (for example, https://{org_name}.exampleco.com
where you control the exampleco.com
domain).
Do not use wildcard placeholders or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcard placeholders can make your application vulnerable to attacks. Instead, URLs with the {org_name} placeholder should be preferred, where relevant.
To learn more, see Placeholders for Subdomains.
Logout redirect URLs
To redirect users after logout, register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout. If you need different redirects for each application, you can add the URLs to the AllowList in your application settings.
RS256 signature algorithm
Make sure that RS256 is the signature method for signing JSON web tokens (JWTs). The JWT signature method can be found under Auth0 Dashboard > Applications > Applications. Scroll to the bottom of the Settings page, and select Show Advanced Settings, then select the OAuth view. To learn more, see Auth0 Blog: Navigating RS256 and JWKS.
OIDC conformant
(For tenants created before 27 December 2017.) If your application is not OIDC conformant, migrate your applications to be OIDC conformant. Newer tenants can only use OIDC conformant behavior.
Test by turning on the OIDC conformant toggle and testing your application.
Restrict delegation
If you are not using delegation, provide your application's client ID in the Allowed Apps / APIs field to restrict delegation requests.
Grant types
Turn off unneeded grant types for your application to prevent someone from issuing authorization requests for unauthorized grant types.