As of Monday, August 6, 2018, Auth0 has permanently disabled the Legacy Lock API in all cloud tenants still using the deprecated
/usernamepassword/login endpoint. This ends the soft removal grace period described in this post.
Any tenants still using the disabled endpoints must complete their migration in order to restore functionality. Please refer to the Legacy Lock API Deprecation Guide as well as the Deprecation Error Reference for further guidance.
On Monday, July 16, 2018, Auth0 will begin disabling the deprecated Legacy Lock API via a staged rollout to all cloud tenants. This breaking change mitigates the vulnerability disclosed in April 2018 by preventing the /usernamepassword/login and /ssodata endpoints from being used or exploited in embedded mode. The Legacy Lock API will be disabled in all cloud tenants on or before Sunday, July 22, 2018.
Any applications that have not been fully migrated may experience outages and failed logins as a result of this change. Those that have been fully migrated to Universal Login or to the most recent versions of Lock (11+) and/or Auth0.js (9+) should continue to function normally. However, any direct calls to the disabled endpoints will fail when service is removed.
Experiencing an outage? Need more time to migrate?
We are providing all tenants with a soft removal grace period to finish migrating any affected applications. During this time, you will be able to temporarily re-enable the Legacy Lock API flag in the tenant dashboard in order to restore normal functionality. Once enabled, this flag will remain active until it is manually disabled or the grace period ends.
We recommend that you test your migration by disabling the flag to ensure there are no other failures. When your migration is complete, simply leave the flag disabled to mitigate the vulnerability.
The Legacy Lock API will be permanently disabled and removed from service on Monday, August 6, 2018.
You cannot re-enable the endpoints via dashboard or API after this date. Similarly, Auth0 cannot re-enable these endpoints on your behalf.
New to Legacy Lock API? Refer to our detailed migration guide for more information.
Q: Help! I need more time to finish my migration. How do I re-enable the endpoints?
A: Visit your tenant Dashboard to make the necessary changes:
Login to the Dashboard at https://manage.auth0.com.
Navigate to your tenant Advanced Settings.
Click your "Account Photo" in the top right of your Dashboard.
Within your settings, select the tab furthest to the right “Advanced”.
Enable the Lock API Toggle
Within the “Advanced” tab, scroll down to the section labeled "Migrations"
Under “Migrations” enable the toggle labeled "Legacy Lock API"
Remember, this flag will be be permanently removed from service when the grace period ends on August 6th, 2018. If your migration is not complete, you will again have an outage.
Q: How will I know if I’m finished with my migration?
A: Disable the Legacy Lock API flag in your Dashboard (under Advanced Settings) to remove service to the endpoints.
If you do not experience any issues while testing, then your migration is complete; leave the flag disabled.
If you do have issues, turn the flag back on to resume functionality. Then check your deprecation logs to identify what changes need to be made; consult the Deprecation Error Reference and Migration Guide for details.
Q: My application is broken, but I thought I was done with my migration! Help!
A: When it comes to migrations, we recommend following each of these steps:
Check for deprecation errors. Search your tenant logs for: type:"depnote”.
Identify the causes of these errors. Refer to the Deprecation Error Reference doc for details.
Complete your migration by following the Legacy Lock API Deprecation Guide.
Verify your migration by re-checking your tenant logs for errors.
Disable the Legacy Lock API flag (under Advanced Settings) in all tenants. ←This is critical for testing.
Q: I’m having issues with /ssodata. How do I migrate this endpoint?
A: See our session management guide for more detail on handling /ssodata.
Q: I’m confused about the dates here. What are the major deadlines to know?
A: We understand there have been several dates communicated recently, and we apologize for any confusion this may have caused.
- Mon, July 16: Auth0 begins disabling Legacy Lock API via staged rollout; this can be temporarily re-enabled
- Sun, July 22: Auth0 finishes disabling Legacy Lock API for all cloud tenants
- Until Aug 6: Soft removal grace period - if you re-enable the endpoints, they will remain available while you finish your migration
- Mon, Aug 6: Auth0 permanently disables Legacy Lock API in all cloud tenants; cannot be re-enabled
*All dates are at 1pm UTC unless otherwise stated. Any changes to dates will be posted to this page
Any applications still using the /usernamepassword/login/ or /ssodata endpoints on Aug 6, 2018, will experience failures on and after that date until they are fully migrated.
Q: I can’t get this done in two weeks. Can I get an extension?
A: Unfortunately no, extensions are not available for free or self service tenants.
Q: What is happening? I don’t remember hearing about this.
A: Auth0 has made a significant effort to contact, notify, and inform all customers regarding this planned deprecation. Over the past six months, we have written blog and Community posts, displayed Dashboard warnings, updated tenant logs, and sent numerous notifications and emails, including:
In December 2017, we first announced the deprecation of /usernamepassword/login and /ssodata in an “Auth0 Roadmap and Deprecations” email sent to all customers.
In February 2018, we notified all customers that only these endpoints (known together as the Legacy Lock API) would be removed from service as originally stated. We also informed customers that the other deprecations described were and are postponed indefinitely (see next question).
In March, we informed affected customers that we had developed and implemented a partial mitigation, therefore allowing us to extend the migration deadline by 3 months. At this time, we officially changed the removal of service date to July 16, 2018.
In early April, we announced that we had deprecated the endpoints in order to address a serious vulnerability. This public disclosure was widely available via social media as well as third party sources.