Overview
The account linking extension now includes enhanced validation during the linking process. For Actions, the extension verifies that the JWT’s issuer (iss claim), audience (aud claim - the Client ID of the extension’s application), and the signature (verified using the correct clientSecret) match the expected values derived from your tenant and the extension’s settings. The action script may now have incorrect values if created or customized some time ago, mirroring older Rule configurations.
Applies To
- Custom Auth0 Action: Account linking extension
Solution
The resolution requires reviewing and updating your custom Action script to ensure it generates JWTs with the correct parameters for the Account Linking extension. This update is essential for maintaining the security and integrity of the authentication flow by ensuring that requests to the account linking extension are properly authenticated and authorized using verifiable configuration stored securely in Action Secrets.
To resolve, please follow these steps:
-
Locate Your Action:
- Navigate to Actions → Library in your Auth0 Dashboard.
- Find the custom Action you are using that interacts with the Account Linking extension (likely in your Login or Pre User Registration flow). Click on it to open the editor.
-
Review the Action Script
- Examine the code, paying close attention to where it prepares data and constructs the JWT sent to your Account Linking extension URL. You might see a structure resembling var config = {…} from older Rule examples, but the values within need specific adjustments for the Action environment.
-
Verify JWT Parameters and Configuration:
-
** Carefully check the actual values used when creating and signing the JWT. The placeholders and variables from Rule templates (auth0.domain, ${clientID}, ${clientSecret}) do not work in Actions. You must ensure the correct values are sourced, preferably from Action Secrets:
-
Issuer (iss): This must be your canonical Auth0 domain name (e.g., your-tenant.us.auth0.com) without the protocol portion of the URL.
- Recommended: Store this domain name as an Action Secret (e.g., key: AUTH0_DOMAIN, value: your-tenant.us.auth0.com). Access it via event.secrets.AUTH0_DOMAIN.
-
Audience (aud) / Client ID: You need the Client ID of the “auth0-account-link” application that was automatically created when the extension was installed.
- Find this value in your Auth0 Dashboard under Applications → Applications → “auth0-account-link”.
- Store this Client ID securely as an Action Secret (e.g., key: ACCOUNT_LINK_CLIENT_ID). Access it via event.secrets.ACCOUNT_LINK_CLIENT_ID.
-
Signing Secret / Client Secret: The ${clientSecret} placeholder is invalid. You need the Client Secret corresponding to the “auth0-account-link” application.
- Find this value in the settings of the “auth0-account-link” application.
- Store this Client Secret securely as an Action Secret (e.g., key: ACCOUNT_LINK_CLIENT_SECRET). Access it via event.secrets.ACCOUNT_LINK_CLIENT_SECRET. Never hardcode the Client Secret.
-
Example:
-
var config = {
endpoints: {
//...
},
token: {
clientId: event.secrets.ACCOUNT_LINK_CLIENT_ID,
clientSecret: event.secrets.ACCOUNT_LINK_CLIENT_SECRET
issuer: event.secrets.AUTH0_DOMAIN
}
};
-
Add/Update Secrets:
- In the Action editor, click the Secrets tab (key icon).
- Add or update the secrets (AUTH0_DOMAIN, ACCOUNT_LINK_CLIENT_ID, ACCOUNT_LINK_CLIENT_SECRET) with the correct values obtained in the previous step.
-
Deploy Changes:
- After ensuring the script correctly uses the values from event.secrets and the secrets themselves are correctly configured, click Deploy in the Action editor.
-
Verify:
- After deploying the updated Action, test your account linking flow thoroughly to ensure it is working correctly and the errors are resolved. If you experience any issues using the account linking extension with custom domains, please reach out to Auth0 Support.