What is happening?
Auth0 will be removing the set of endpoints (usernamepassword/login, /ssodata ) used by Lock.js 7, 8, 9 and 10 and auth0.js, 6, 7, 8. on April 1st 2018.
This will only affect customers that are using embedded login, If you’re currently using our Hosted Login Page, no action is needed but migrating to the latest version of Lock (11.3+) is recommended. Using our Hosted Login Page is referred to as using a Universal Login experience. Please read the differences between using Embedded Login vs Universal Login here: Universal vs Embedded Login
What does deprecated mean in this context?
Lock 7,8,9 and 10, and Auth0.js 6, 7, 8 will stop working in embedded mode on April 1st.
I’m not sure what those endpoints mean, how do I know if I’m prepared for April 1st?
Check your logs for “Deprecation Notice” warnings in the Auth0 Dashboard, if any deprecated features are being used, a “Deprecation Notice” message will show up in the “Logs” section of the dashboard.
If you see a
Legacy Lock API deprecation notice, then you’re using one of the endpoints being removed on April 1st.
Then look for the Legacy Lock API toggle under your tenant’s advanced settings and turn it off. Doing so mimics the behavior you will see on April 1st, so that you can test client applications and make sure everything works as expected.
I don’t see the Legacy Lock API toggle, what can I do?
If you don’t see the toggle, the features that we are deprecating on April 1st are already off for your account and these deprecations don’t affect you.
Are Auth0’s native mobile libraries / SDKs affected? Eg iOS and Android.
Mobile SDKs usually either open a browser window and use Auth0’s hosted login page, or use a different endpoint other than the legacy endpoints we are removing, so no action is needed in this case.
How does this affect the Passwordless Lock?
Passwordless is not affected.
How does this affect the reset password functionality?
The reset password functionality is not directly affected.
Can I get an extension for the removal date?
It’s not possible to get an extension for the removal date. Lock 7,8,9 and 10, and Auth0.js 6, 7, 8 will stop working in embedded mode on April 1st.
Why are you making this change?
This change will provide better security for your customers and is in better compliance with OIDC standards.
What should I do if I’m using embedded login?
Our recommendation to customers is to use Universal Login, (the guide above explains the pros and cons in more detail). See Migrating from Embedded to Universal here: Migrating to Universal Login
Is it possible to serve the Hosted Login Page in my own Domain?
Custom domains is now available for tenants marked as development or production that have a developer, developer pro or enterprise subscription. You can find our Custom Domain documentation here: https://auth0.com/docs/custom-domains
Is there any other option to migrate to?
If you don’t want to use the Hosted Login Page, you can use Lock 11.3+ in embedded mode. Please take into consideration that it uses Cross Origin authentication which uses Third Party cookies. There might be cases when these cookies are disabled in some browsers which may prevent Lock 11 to work properly in embedded mode. You can find the browser testing matrix here.
To avoid the need to use Third Party cookies, you would need to configure a custom domain in your tenant. It should have the same top level domain as the application (i.e. https://myapp.contoso.com for the app and https://login.contoso.com for the custom domain).
Custom Domains are only available on developer, developer pro and enterprise subscriptions. If you have a Free account, it’s recommended that you use the Hosted Login Page instead.
Lock v10 to v11 Migration Guide
Auth0.js v8 to v9 Migration Guide
Does this mean that username and password login will no longer be available at all after April 1st?
Username and password login will continue to work through a new endpoint of our Authentication API.
What happens if I am using SSO?
Lock 11 in embedded form works with SSO if you have a Custom Domain and all the sites that participate in the transaction are in the same top level domain. For the rest of the scenarios you need to use Universal Login (the hosted login page) with our without custom domains.
What will happen to the rest of the endpoints that were mentioned on the December 26th notification?
We have delayed those deprecations until further notice. For now, we are only going to deprecate the
usernamepassword/login and the
ssodata endpoints of the Authentication API when used by Auth0.js and Lock in embedded mode.