Migrations

Occasionally, Auth0 engineers must make breaking changes to the Auth0 platform, primarily for security reasons. If a vulnerability or other problem in the platform is not up to our high standards of security, we work to correct the issue.

Sometimes a correction will cause a breaking change to customer's applications. Depending on the severity of the issue, we may have to make the change immediately.

For changes that do not require immediate changes, we often allow a grace period to allow you time to update your applications.

Migration Process

The migration process is outlined below:

  1. We update the platform and add a new migration option for existing customers, allowing a grace period for opt-in. New customers are always automatically enrolled in all migrations.
  2. After a certain period, the migration is enabled for all customers. This grace period varies based on the severity and impact of the breaking change, typically 30 or 90 days.

During the grace period, customers are informed via dashboard notifications and emails to tenant administrators. You will continue to receive emails until the migration has been enabled on each tenant you administer.

If you need help with the migration, create a ticket in our Support Center.

Active Migrations

Current migrations are listed below, newest first.

For migrations that have already been enabled for all customers, see Past Migrations.

Summary of Endpoint Migrations

This table is a summary of the endpoint migrations for the first part of 2018. See the entries below the table for more detailed explanations.

Endpoint Replacement Mandatory Opt-In More Info
/usernamepassword/login /co/authenticate 2018-04-01 More Info
/ssoData /authorize?prompt=none 2018-04-01 More Info
/tokeninfo userinfo 2018-06-01 More Info
/delegation TBD 2018-06-01 More Info
/oauth/ro /oauth/token 2018-07-01 More Info
/oauth/access_token TBD TBD More Info

Introducing Lock v11 and Auth0.js v9

Severity Grace Period Start Mandatory Opt-In
Medium 2017-12-21 2018-04-01

We are continually improving the security of our service. As part of this, we are deprecating a set of APIs (/usernamepassword/login, /ssodata, tokeninfo, /delegation) used by Lock.js v8, v9, and v10 and and auth0.js, v6, v7, and v8. You should update your applications by April 1, 2018.

Here are the migration guides for Auth0.js and for Lock.

Am I affected by the change?

If you are currently implementing login in your application with Lock v8, v9, or v10, or Auth0.js v6, v7, or v8, you will be affected by these changes. We recommend that applications using universal login update, as customized login pages may or may not need to be updated. However, those who are using Lock or Auth0.js embedded within their applications, however, are required to update, and applications which still use deprecated versions may cease to work at some point after the deadline.

If you have any questions, create a ticket in our Support Center.

Introducing Resource Owner Support for oauth/token Endpoint

Severity Grace Period Start Mandatory Opt-In
Medium 2017-12-21 2018-07-01

Support was introduced for Resource Owner Password to the /oauth/token endpoint earlier this year.

We will now deprecate the current /oauth/ro and /oauth/access_token endpoints.

Applications must be updated before July 1, 2018, when /oauth/ro will become unavailable. The migration guide will be available in Q1 2018.

Am I affected by the change?

If you are currently implementing the /oauth/ro endpoint your application will need to be updated to use the /oauth/token endpoint instead.

If you have any questions, create a ticket in our Support Center.

Introducing API Authorization with Third-Party Vendor APIs

Severity Grace Period Start Mandatory Opt-In
Medium Q1 2018 2018-06-01

The mechanism by which you get tokens for third-party / vendor APIs (for example AWS, Firebase, and others) is being changed. It now works the same as any custom API, providing better consistency. This new architecture will be available in Q1 2018 and at that point the /delegation endpoint will be deprecated. All clients must be updated prior to June 1, 2018. The migration guide will be available in Q1 2018.

Am I affected by the change?

If you are currently using /delegation to provide third party authorization, your application will need to be updated.

If you have any questions, create a ticket in our Support Center.

Deprecating the Usage of ID Tokens on the Auth0 Management API

Severity Grace Period Start Mandatory Opt-In
Medium 2017-12-21 2018-06-01

We are deprecating the usage of ID Tokens when calling /users and /device-credentials. We have moved to regular Management APIv2 Tokens. This is available now. Applications must be updated by June 1, 2018, when the ability to use ID Tokens will become unavailable. Migration guides will be available by February 2018.

Am I affected by the change?

If you are currently using id tokens to access any part of the Management API, your application will need to be updated.

If you have any questions, create a ticket in our Support Center.

Improved OpenID Connect Interoperability in Auth0

Severity Grace Period Start Mandatory Opt-In
Medium 2017-12-21 2018-07-01

The userinfo endpoint is being updated to return OIDC conformant user profile attributes. The most notable change is that user_id becomes sub. This will deprecate the legacy Auth0 user profile (in userinfo and in id tokens). Applications must be updated to use the new user profile before July 1, 2018. Migration guide will be available in late Q1 2018.

Am I affected by the change?

If you are currently using the userinfo endpoint or receiving ID Tokens, you are affected by this change and need to update your implementation so that it expects normalized OIDC conformant user profile attributes.

If you have any questions, create a ticket in our Support Center.

Was this article helpful?