Auth0 Account Linking Rules Resolution

Overview

The account linking extension now includes enhanced validation during the linking process. For Rules, the extension verifies that the issuer , clientId , and clientSecret values configured within your Account Linking Rule match the expected values derived from your tenant and the extension’s settings. This validation was not historically enforced. Rules may require attention if configured with custom domains or created some time ago.

Applies To

  • Custom Auth0 Action: Account linking extension

Solution

The resolution requires updating your Account Linking Rule to use the standard configuration block, which ensures the correct values are used for token validation. As Rules are deprecated, updates must be performed using the Auth0 Management API.

To resolve, please follow these steps:

  1. Prerequisites:

    • Obtain a Management API Token: You’ll need an API token with read:rules and update:rules permissions. Follow the documentation here: Create Management API Tokens. Keep this token secure.
    • Identify the Rule ID: You need the unique ID of the specific Account Linking rule you want to modify
      • If you already know the Rule ID from deployment scripts or configuration files, you can skip to Step 2.
      • If you don’t know the Rule ID, you can list all rules using the Management API’s GET /api/v2/rules endpoint.
      • Example using curl (replace YOUR_AUTH0_DOMAIN and YOUR_MGMT_API_TOKEN):
# 1. Fetch all rules from Auth0 (display only id and name)

curl "https://$YOUR_AUTH0_DOMAIN/api/v2/rules" \
-H "Authorization: Bearer $YOUR_MGMT_API_TOKEN" \
-H 'Accept: application/json' \
| jq -r '.[] | {id, name}'

# jq: processes JSON and shows only id and name of each rule
* Examine the response and look for the rule related to Account Linking. Note down the id of the correct rule.
  1. Get the Current Rule Script:

    • Once you have the specific YOUR_RULE_ID, use the Management API’s GET /api/v2/rules/{id} endpoint to retrieve the rule script.
    • Example using curl:
# 2. Fetch a specific rule by ID and save its script to a file

curl -sS "https://$YOUR_AUTH0_DOMAIN/api/v2/rules/$YOUR_RULE_ID" \
-H "Authorization: Bearer $YOUR_MGMT_API_TOKEN" \
-H 'Accept: application/json' \
| jq -r '.script' \
> rule.js 

# curl: fetches from URL (-sS: silent+errors)
# | jq: processes JSON (-r: raw output; '.script': extracts script property)
# > rule.js: saves output to file.

  1. Modify the Script Content:

    • In the script content you just saved, locate the entire var config = { … }; block.
    • Ensure that the config contains issuer: auth0.domain and not a hardcoded value. Also, ensure that the clientID and clientSecret values match those in your auth0-account-link application.
  2. Update the Rule via API:

    • Use the Management API’s PATCH /api/v2/rules/{id} endpoint to update the rule with the modified script (the entire script content, including the updated config block). You will send a JSON payload containing only the script field with the updated content.
    • Example using curl (ensure your modified script content is correctly formatted as a JSON string within the --data payload, escaping newlines \n, quotes ", etc.):
# 3. After modifying rule.js, update the rule in Auth0

jq -R -s '{script: .}' rule.js \
| curl -X PATCH \
"https://$YOUR_AUTH0_DOMAIN/api/v2/rules/$YOUR_RULE_ID" \
-H "Authorization: Bearer $YOUR_MGMT_API_TOKEN" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data @- 

# jq: reads all of rule.js (-R raw input, -s slurp the entire input into a single string value), creates {"script": ...} JSON 
# | curl: sends JSON stdin (--data @-) to update rule
  1. Verify: After receiving a “success” response (HTTP 200) from the API, test your account linking flow to ensure it’s working correctly. If you experience any issues using the account linking extension with custom domains, please reach out to Auth0 Support.