Implicit Flow

Migrating to Lock v11


Refresh TokensLock v11 operates with enhanced security and removes dependencies that have been deprecated as per Auth0's roadmap. In some cases, these security enhancements may impact application behavior when upgrading from an earlier version of Lock.

How it works

Should I migrate to v11?

Everyone should migrate to v11. All previous versions are deprecated, and the Legacy Lock API was removed from service on August 6, 2018. For applications that use Lock within an Auth0 login page, this migration is recommended; for applications with Lock embedded within them, this migration is mandatory.

How to implement it

Migration instructions

The documents below describe all the changes that you should be aware of when migrating from different versions of Lock. Make sure you go through the relevant guide(s) before upgrading.

If you have any questions or concerns, you can discuss them in the Auth0 Community, submit them using the Support Center, or directly through your account representative, if applicable.

Embedded login for web uses Cross Origin Authentication. In some browsers this can be unreliable if you do not set up a Custom Domain and host your app on the same domain. Using Custom Domains with Auth0 is a paid feature. If you cannot use Custom Domains, consider migrating to Universal Login.

Keep reading


Lock takes too long to display the login options

If Lock takes a lot of time to display the login options, it could be because the Allowed Web Origins property is not correctly set.

To verify that this is a problem check your logs at Dashboard > Logs. If you see an entry with the following error description, set the Allowed Web Origins property and try again.

I upgraded but I still get deprecation warnings in the logs

You have already migrated to Lock 11 but you still see this error in your logs:

These deprecation notices most likely originate from a user visiting the Universal Login page directly without initiating the authentication flow from your app. This can happen if a user bookmarks the login page directly. After August 6, 2018, these users will not be able to log in.

Check out the Deprecation Error Reference for more information on deprecation related errors.