Deprecations and Migrations

Deprecations and Migrations

We are actively migrating customers to new behaviors for all deprecations listed below. Please review these carefully to ensure you've taken any necessary steps to avoid service disruption. You can also search tenant logs for any errors caused by using deprecated features. To learn more, read Search Logs for Deprecation Errors.

If you have any questions, visit the Migrations section of the Auth0 Community site or create a ticket in our Support Center. To learn more, you can also read Migration Process.

Tenant Hostname Validation

Deprecated: December 9, 2021 and December, 2021 (Private Cloud Release 2112.2)

End of life: June 8, 2022 and September 9, 2022 (Private Cloud)

As of June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, Auth0 will increase the security of API calls by adding a validation step for tenant hostnames to the Authentication API’s identification process. When a call is made, the Authentication API will validate the entity identifier (eg: client_id) of the requesting tenant as well as the tenant name in the URL domain. The tenant owning the identifier must be from the same tenant in the URL domain or the request will be rejected.

If your application or API calls any of the listed endpoints, you must configure your API calls to make sure the identifier of the requesting tenant and hostname are the same: 

  • /oauth/token

  • /co/authenticate

  • /userinfo

  • /login

  • /oauth/revoke

  • /mfa/challenge

  • /p/<connection-type>/<ticket> (Enterprise connection provisioning endpoint)

To learn more, read Tenant Hostname Validation Migration.

Opaque Access Token and Authorization Code Fixed Length

Deprecated: October 7, 2021 (Public Cloud), December 2021 (Private Cloud)

End of life: April 12, 2022 (Public Cloud), June 30, 2022 (Private Cloud)

Beginning April 12, 2022 and with the December 2021 Private Cloud release, access token and authorization codes will be issued with varied lengths to support OAuth specification RFC6749 to avoid clients making assumptions about authorization code and access token values. Currently, the access token and authorization code sizes are fixed. The current size of the authorization code is shorter than what some security practitioners recommend. Through this change, Auth0 provides a stronger code and token while also improving the performance of Auth0 systems.

Customers with systems configured to rely on specific-sized authorization code and access token length must change from fixed-sized to variable-sized configurations before April 12, 2022 in Public Cloud or the June 30, 2022 Private Cloud release.

Log Extensions

Deprecated: November 2, 2022(Public Cloud), January 6, 2023(Private Cloud release 2205)

On November 2, 2022, the following Auth0 Log Extensions will be deprecated:

  • Auth0 Authentication API Webhooks

  • Auth0 Management API Webhooks

  • Logs to Cloudwatch

  • Logs to Logentries

  • Logs to Loggly

  • Logs to Logstash

  • Logs to Papertrail

  • Logs to Splunk

  • Logs to Sumo Logic

Starting May 4, 2022, you will not be able to create new extensions from the list above. You can set up equivalent functionality using log event streams or integrations on the Auth0 Marketplace. On November 2, 2022, Auth0 will no longer support the installed log extensions from the list above. On this page, you'll find instructions for migrating from specific log extensions. 

For Private Cloud, the deprecation window will start with the 2205 release. On January 6, 2023, Auth0 will no longer support installed log extensions from the above list on Private Cloud.

Learn more