Allow client_id and shorter client_secret to be set on POST /clients

Feature: Allow /clients endpoint to accept client_id and also shorter client_secret values.

Description: Currently, if a client_id is specified in the /clients POST request body, there is an error:

“statusCode”: 403,
“error”: “Forbidden”,
“message”: “This operation must be authorized by Auth0”,
“errorCode”: “operation_not_supported”

Additionally, if a client_secret value of fewer than 48 characters is used, there’s an additional validation error.

“statusCode”: 400,
“error”: “Bad Request”,
“message”: “Client secret too short, min length is 48”,
“errorCode”: “invalid_body”

Use-case: We are currently undergoing a migration project from our current identity provider to Auth0. It would be ideal to limit the changes required by application teams if we can use our existing client_ids and secrets. Applications (SPAs, regular web applications, mobile, and machine-to-machine) could leverage their existing credentials to authenticate and leverage their existing API subscriptions on our API Gateway.

Our current IDP uses 28-character values for both the client_id and secret, while Auth0 uses 32-character client_id, and 48-character secrets. If we can use existing client_ids, we would need the character limit lowered as well.

Please let us know if these enhancements are feasible or not.

Edit: I think a simpler version of what I’m saying, is that an import utility for applications would be useful, could satisfy our use case, and may help other customers to migrate to Auth0 quicker.

Hi @dgetz,

Thanks for the detailed use case! Don’t forget to vote for the post. Thanks!