Action Required: Update Applications that use Cross-Origin Authentication

Hi Community!

We wanted to let you all know that starting October 25, 2024, Cross-origin authentication will be disabled by default for new applications created in Auth0. If an application requires cross-origin authentication, tenant administrators can update the application in the Admin Dashboard.

Management API users will also no longer receive cross_origin_auth in the response to requests on the [Get clients] or the [Get client by id] API endpoints. A new setting, cross_origin_authentication, can be used to read and update the application settings.

Why are we making this change?

These changes will help improve our customer’s security and limit the exposure of applications that don’t require cross-origin authentication.

What action do you need to take?

If you have dependencies on either the [Get clients] or the [Get client by id] API endpoints, you will need to update these dependencies to no longer expect cross_origin_auth in response.

If you use the above endpoints to create or manage applications, you will need to specify cross_origin_authentication is set to true for the setting to take effect.

If you have documentation or training materials for applications that require cross-origin authentication, you will need to add an additional step for enabling the setting to ensure the scenario is successful.

Let us know down below if you have any questions!


@rueben.tiow Do we need to make any changes regarding since we are using libraries “auth0-js” and “auth0” for JavaScript?

Hi @seifsg,

Are you using auth0-js for embedded login?

If so, you would be using cross-origin authentication and would need to update the application to enable cross-origin authentication.

1 Like

@rueben.tiow I am using Universal Login, will this impact be affected by Cross-Origin Authentication?

Hi @fujii.takayuki,

You should be good with using the Universal Login. There will be no impact on you.

Hi @rueben.tiow,

I have a related question. We have a shared React UI component, which is embedded into other UI applications throughs iFrame. The domain that loads the shared UI component is different from the domain which loads the UI applications in which it is embedded. The shared UI component renders only if the User is authenticated. We enforce the Authentication by wrapping the shared React UI component in AuthProvider from the Auth0 React SDK. The shared React UI component is registered as an SPA in Auth0.

We have observed that when the “3rd Party Cookies” are disabled, the User authentication validation within the iFrame embedded shared React UI component always fails. The requirement is to validate if the User session is valid (i.e. he is already Authenticated). The typical User Login flow usually happens in its own browser tab.

Can you share any advice in terms, how we should implement the User Authentication validation requirement within the iFrame embedded React UI component, even when 3rd Party Cookies are disabled?