Action Required: Update Applications that use Cross-Origin Authentication

Hi Community!

We wanted to let you all know that starting October 25, 2024, Cross-origin authentication will be disabled by default for new applications created in Auth0. If an application requires cross-origin authentication, tenant administrators can update the application in the Admin Dashboard.

Management API users will also no longer receive cross_origin_auth in the response to requests on the [Get clients] or the [Get client by id] API endpoints. A new setting, cross_origin_authentication, can be used to read and update the application settings.

Why are we making this change?

These changes will help improve our customer’s security and limit the exposure of applications that don’t require cross-origin authentication.

What action do you need to take?

If you have dependencies on either the [Get clients] or the [Get client by id] API endpoints, you will need to update these dependencies to no longer expect cross_origin_auth in response.

If you use the above endpoints to create or manage applications, you will need to specify cross_origin_authentication is set to true for the setting to take effect.

If you have documentation or training materials for applications that require cross-origin authentication, you will need to add an additional step for enabling the setting to ensure the scenario is successful.

Let us know down below if you have any questions!

2 Likes

@rueben.tiow Do we need to make any changes regarding since we are using libraries “auth0-js” and “auth0” for JavaScript?

Hi @seifsg,

Are you using auth0-js for embedded login?

If so, you would be using cross-origin authentication and would need to update the application to enable cross-origin authentication.

3 Likes

@rueben.tiow I am using Universal Login, will this impact be affected by Cross-Origin Authentication?

Hi @fujii.takayuki,

You should be good with using the Universal Login. There will be no impact on you.

Hi @rueben.tiow,

I have a related question. We have a shared React UI component, which is embedded into other UI applications throughs iFrame. The domain that loads the shared UI component is different from the domain which loads the UI applications in which it is embedded. The shared UI component renders only if the User is authenticated. We enforce the Authentication by wrapping the shared React UI component in AuthProvider from the Auth0 React SDK. The shared React UI component is registered as an SPA in Auth0.

We have observed that when the “3rd Party Cookies” are disabled, the User authentication validation within the iFrame embedded shared React UI component always fails. The requirement is to validate if the User session is valid (i.e. he is already Authenticated). The typical User Login flow usually happens in its own browser tab.

Can you share any advice in terms, how we should implement the User Authentication validation requirement within the iFrame embedded React UI component, even when 3rd Party Cookies are disabled?

Thanks

Hi, I have a related question. We need cross_origin_auth and we are not using universal login.

We have already enabled Allow Cross-Origin Authentication in the application settings.
Our app does not use Get Clients or Get Clients by id API endpoints.

In that case, do we need to make any other changes to our application settings or application?

Hi @rueben.tiow
i use Auth0 to login in my native android application , will this impact be affected by Cross-Origin Authentication?

1 Like

Hi @mahmoud.m.hamoda,

No, you should be able to continue using your Native Android application as usual. This update should not impact you.

Thanks,
Rueben

Today, terraform configuration drift occurred in all of our environments that I think could be related to this change. We’ve verified the drift did not occur from the terraform provider or from user action.

Did a default for this value change today or yesterday in one or more of the client apis without notice?

2 Likes

Hi @badpracticemenolikey,

The default for this value was not changed today or yesterday. That change will take place starting October 25, 2024.

Thanks,
Rueben

Hello -

If a application/client did not have cross_origin_authenication defined, a default value has been specified to match the value that you see in the Admin Dashboard. Previously this attribute (cross_origin_authentication) was not stored and exposed on the client object.

This change is related, but not specific to this deprecation announcement.

Also note, that with this deprecation we will be removing cross_origin_auth to make this less confusing.

Thank you

Brandon

2 Likes

Thanks @brandon.simons, this addresses my concern. A change has been made in the API to specify a default value that was previously not present on the client object, and this will cause a change to be reflected.

A few folks have reported impact in auth0’s terraform provider issues github here, and this seems like the likely cause.

Can someone at auth0 provide guidance to handle the deprecation? When cross_origin_auth is removed from the auth0_client resource it will be moving into a new resource? The most recent documentation doesn’t seem to have any notes on an upcoming deprecation so it’s a little unclear.

Thanks again

2 Likes

I had this setting explicitly set to false in my Terraform configs for all my auth0_client resources for years.

I remember seeing drift in the Terraform state when updating this value in the Dashboard in the past. I am fairly certain this value was respected and turned off for all of my clients.

Now cross origin authentication has been turned on in all of the clients, and my Terraform plans are also reflecting this drift.

Can someone from Auth0 please confirm if there was an incident that caused cross origin authentication to be turned on for all clients?

1 Like

Hi @leon4dapper,

AFAIK, there weren’t any incidents that caused cross-origin authentication to be turned on for all clients. Historically, it has been enabled by default.

I am aware that you had explicitly set this setting to false. Have you made sure that you also set "cross_origin_authentication": false?

Thanks,
Rueben

Hi there!

I would like to know whether our service will break.

We are using the Java SDK, (‘com.auth0’, name: ‘auth0’, version: ‘1.11.0’).

We are not managing apps programmatically. We are using it only to create users, and get users’ metadata.

I know we could upgrade to the latest version of the SDK, but the problem is that we are fighting another fire right now, we have no time to update it and check that everything is still working.

Could you let us know whether the change in returned value from Auth0 will break our code, given our version of the SDK and the usage we are making of it?

We are not explicitly looking at the cross_origin_auth value in the response ourselves, but it could be that the SDK’s parser expects this value to be present, and thus crash on Friday?

Thanks a lot in advance!