Hello Community!
Heads up - Starting October 4, 2024, Auth0 will no longer automatically redirect API requests received using unencrypted HTTP to secure HTTPS. Instead, Auth0 API servers will respond to unencrypted HTTP requests with a client error response and clients must retry the request using HTTPS. To ensure that you and your users don’t experience a disruption in service, update any HTTP URLs you use or publish to use HTTPS instead.
Why are we making this change?
This change improves the security of Auth0 services for Auth0 customers and their users by mitigating security risks associated with unencrypted HTTP communications.
Redirecting HTTP to HTTPS has been a helpful first step for service providers like Auth0 to transition from the largely unencrypted early web to the largely encrypted web of today. This method, though convenient for developers and users, has security flaws due to the initial unencrypted HTTP traffic. Taking advantage of these flaws, third parties in shared networks, as well as network intermediaries, have the potential to extract secrets from the unencrypted HTTP traffic or even impersonate an Auth0 API server with an MITM attack. With advances in web security making HTTPS easier and simpler to use by default, the advantages of the redirection no longer justify the risks, so we are making these changes to ensure that all users of our services use HTTPS from the start, and maintain its use throughout sessions.
How are you affected?
If you are using unencrypted HTTP URLs in your web clients or publishing HTTP URLs for end users to use, you or your users may experience a service disruption:
- Auth0 services will respond to unencrypted HTTP requests with a client error, as described above, causing individual requests to fail.
- Auth0 services may revoke tokens sent via HTTP, causing abrupt session termination.
To prevent or fix these errors before October 4, 2024, take the actions below.
What action do you need to take?
To ensure continuity of service, make certain that all URLs used in client configurations and any URLs you publish pointing to Auth0 services use HTTPS rather than HTTP.
All clients provided by Auth0, including Universal Login and our SDKs, use HTTPS for all API interactions when set up following our documentation.
If you use Custom Domains with Self-Managed Certificates, your client is a self-managed proxy. When configured according to our documentation, your proxy will use HTTPS for all API interactions.
Other custom clients integrating directly with Auth0’s Authentication or Management APIs will use HTTPS for all API interactions when built according to our API documentation and examples.
In all of these cases, the changes should not cause any service disruption.
If you use a third-party library or client to integrate Auth0, check with your client’s provider.
Additional recommendations:
For the best security and performance, we recommend updating and configuring clients to use the latest HTTPS standards, TLS 1.3 and HTTP/2 (or 3), which offer enhanced encryption and efficiency.
FAQ:
Q: Will this change impact application’s Allowed Callback URLs, Allowed Logout URLs, and Allowed web origin URLs?
A: No, this only applies to (HTTP) requests performed directly to our service (requests to the tenant canonical domain or custom domain).
This DOES NOT have any impact or is in any way related to the possibility to use an HTTP URL in a client application Allowed Callback URLs, Allowed Logout URLs, and Allowed web origin URLs.
Feel free to comment down below if you have any questions.