Migrating to Auth0.js v9

Versionv9

Auth0.js v9 has been improved to operate with enhanced security and removes dependencies that have been deprecated as per Auth0's roadmap. In some cases, these security enhancements may impact application behavior when upgrading from an earlier versions of auth0.js.

Should I migrate to v9?

Everyone should migrate to v9. All previous versions are deprecated, and will be removed from service July 16, 2018. For applications that use Auth0.js within an Auth0 login page, this migration is recommended; for applications with Auth0.js embedded within them, this migration is mandatory.

Legacy Lock API Removed from Service

Previously, the Legacy Lock API (used by deprecated versions of Auth0.js) was planned to be removed from service on April 1, 2018. However, the Removal of Service date was extended to July 16, 2018 due to a mitigation of the risks posed by deprecated versions.

As of the week of July 16, 2018, the Legacy Lock API will be disabled. This is a soft removal, so you will have a brief grace period during which you can temporarily re-enable the feature in order to make any necessary changes. See the soft removal announcement for more details.

Migration Instructions

The documents below describe all the changes that you should be aware of when migrating from different versions of Auth0.js to v9. Make sure you go through the relevant guide(s) before upgrading.

If you have any questions or concerns, you can discuss them in the Auth0 Community, submit them using the Support Center, or directly through your account representative, if applicable.

Embedded login for web uses Cross Origin Authentication, which does not work reliably on all browsers if you do not enable Custom Domains. The use of Custom Domains is a paid feature. A good alternative is to migrate to Universal Login if you cannot use Custom Domains in your application.

Troubleshooting

I upgraded but I still get deprecation warnings in the logs

You have already migrated to Auth0.js 9 but you still see this error in your logs:

Legacy Lock API: This feature is being deprecated. Please refer to our documentation to learn how to migrate your application.

These deprecation notices most likely originate from a user visiting the Universal Login page directly without initiating the authentication flow from your app. This can happen if a user bookmarks the login page directly. If this happens after July 16, 2018 the user will not be able to log in.

Check out the Deprecation Error Reference for more information on deprecation related errors.