Migrate to 1-Hour Login Flows Expiration

Starting 21 February 2024, Auth0 will enforce a maximum lifetime of 1 hour for redirection-based login flows. Login flows that take longer than 1 hour to complete will expire in both Universal and Classic Login.

Auth0 currently allows the following interactive login flows to last up to 3 days to complete:

• Authorization Code Flow

• Authorization Code Flow with PKCE

• Cross-Origin Authentication

• Device Authorization Flow

• Hybrid Flow

• Implicit Flow with Form Post

• Security Assertion Markup Language (SAML)

• Web Services Federation Protocol (WS-Fed)

Starting 21 February 2024, Auth0 will enforce a maximum lifetime of 1 hour for the listed authorization flows. Transactions will expire after 1 hour. After expiration, operations from the end user's browser, such as input email and password or redirect back to Auth0 Actions, etc., will:

• Redirect to the associated application’s default login route to reinitiate the flow with a new login transaction Or

• Serve an error page if you have not configured the application's default login route or you are using Classic Login. The end user must return to your application to reinitiate the login transaction. You can customize this error page using Universal Login.

When redirecting users after logout, redirect them to a page of your application that allows users to log in again based on some user action (e.g. click the Login button) instead of directly redirecting them to the Universal Login /authorize endpoint. The pattern of starting a new login transaction without an explicit user-initiated action is the main source of transactions taking too long to complete, as the new login attempt is left unattended in a browser window and can be subject to malicious attacks.

If you are using Universal Login:

• We recommend you configure default login routes for your applications in the Auth0 Dashboard or via the Auth0 Management API. This method automatically starts login transactions and results in the best user experience as the login flow seamlessly restarts for active end users when the transaction has expired.

• If your configuration doesn’t allow for default login routes, we recommend you customize Auth0 error pages to provide a better user experience. You can use the error pages to instruct the user to return to your application to restart the login attempt.

• If you don’t do either of the above, we will display the default Auth0 error page:

If you are using Classic Login, the login widget will display an error and the user will need to return to the application and retry to log in for expired transaction in all cases.

If you want further insights on how many transactions and Applications are affected in your tenant, review the logs in your tenant under Auth0 Dashboard > Monitoring > Logs. Look for Deprecation Notice logs with this search: type:depnote AND description:*Long*state*expirations*. These results will point to login transactions and the applications (i.e. client_id) lasting longer than 1 hour.

Note these logs are rate-limited, and you will see one per hour per client_id.

After configuring default login routes or updating the Auth0 error pages with specific instructions for your end-users, you can (de)activate the 1-hour expiration any time before 21 February 2024 to verify login behavior.

1. Navigate to Auth0 Dashboard > Tenant Settings > Advanced and search for the Migrations section.

2. Toggle off Long state expirations. Disabling this setting limits transactions to last only 1 hour. Enabling this setting allows transactions to last up to 3 days.