Tenant Hostname Validation Migration
As of June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, Auth0 is adding a layer of validation to the Authentication API. If Auth0 has detected that calls from your applications to the Authentication API may be affected by this change, we have provided deprecation notices in tenants logs and a migration flag to prepare you for this change.
Affected Endpoints
As of June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, any calls to the Authentication API endpoints below that are not properly validated will be rejected. Auth0 recommends that you take action to migrate your application domain URL or API call identifier to the same tenant well before that date.
The affected endpoints are:
/oauth/token
/co/authenticate
/userinfo
/login
/oauth/revoke
/mfa/challenge
/p/<connection-type>/<ticket>
(Enterprise connection provisioning endpoint)
Review tenant logs
First, check your tenant logs for deprecation notices to verify if you need to migrate your application.
Navigate to Dashboard > Monitoring > Logs.
Search the logs for
type:depnote AND description:ignore*request*host*header*
to find the deprecation notice regarding which applications are affected and need to be migrated.Find the Details > Raw section of the log. There you can identify the
client_id
of the application to update, or theconnection_id
in the case of a provisioning endpoint.
Modify all applicable applications.
If any misalignments of tenant and domain tenant exist, you need to modify the sent identifiers, or domain URL, along with other misconfigured request parameters.
The domain tenant should match the tenant associated with the
client_id
orconnection_id
.
Once you’ve completed migrating all applicable tenants, tenant logs will no longer show deprecation notices associated with this migration.
Verify Migration
Once you have migrated your applications and configured unvalidated hostnames, verify your changes by disabling the deprecated behavior at a time of your choosing and ahead of June 9, 2022 or September 9, 2022.
Navigate to Dashboard > Tenant Settings > Advanced > Migrations.
Disable the Ignore request Host header toggle. Deactivating this toggle enforces validation for your tenant and completes the migration.
If hostname validation does not work as expected after disabling this toggle, you will receive a 4xx error to indicate your domain tenant and tenant associated with the client_id
or connection_id
are not the same.
Once all application migrations have been successfully performed and confirmed in production environments, then you can disable the switch permanently to ensure that the deprecated features can no longer be used. After June 9, 2022 in Public Cloud and September 9, 2022 in Private Cloud, Auth0 will enforce hostname validation and the associated switch will be removed from your tenant settings.