Application Settings Best Practices
Here are some best practices for configuring Application Settings on the Dashboard.
|Client ID||Confirm your application code uses the correct Client ID.|
|Application Type||Make sure the correct application type is set in your application settings to help Auth0 check for certain security risks.|
|First- and Third-party applications||Flag first-party and third-party applications. Third-party applications must be created using the Auth0 Management API and have the
|ID token expiration||Set the ID Token expiration time. By default ID Tokens expire after 10 hours. Once issued, an ID Token cannot be revoked, so instead of longer expiration times, use a short expiration time and renew the session if the user remains active.|
|Wildcards or localhost URLs||Do not use wildcard or localhost URLs in your application callbacks or allowed origins fields. Using redirect URLs with wildcards can make your application vulnerable to attacks.|
|Logout redirect URLs||To redirect users after logout, register the redirect URL in your tenant or application settings. Auth0 only redirects to whitelisted URLs after logout. If you need different redirects for each application, you can whitelist the URLs in your application settings.|
|Advanced Settings: RS256 signature algorithm||Make sure that RS256 is the signature method for signing JSON Web Tokens (JWT). The JWT signature method can be found under Applications > Settings > Advanced Settings > OAuth. See Auth0 Blog: Navigating RS256 and JWKS.|
|Advanced Settings: OIDC conformant (for tenants created before 2017-12-27)||If your application is not OIDC conformant, migrate your applications to be OIDC conformant. Newer tenants can only use OIDC conformant behavior. Test by turning on the OIDC conformant toggle and testing your application.|
|Advanced Settings: Restrict delegation||
If you are not using delegation, provide your application's Client ID in the Allowed Apps / APIs field to restrict delegation requests.
|Advanced Settings: Grant types||Turn off unneeded grant types for your application to prevent someone from issuing authorization requests for unauthorized grant types.|