As per the email “Update Your Auth0 Extensions for SameSite” that went out over the weekend, users can not log in anymore after I updated the Auth0 Authorization Extention from 2.4 to 2.6.
Logs show plenty of “Failed Login” events with “Authorization Extension: Invalid API Key” which is pretty self-descriptive, but I’m not sure what else I’m supposed to update.
What have I missed? Any pointer appreciated.
Many thanks
I’ve just created a fresh tenant and am getting the same error. Something does seem to be wrong with the Authorization Extention.
I’d really appreciate a comment from an Auth0 representative. My site is down after following your upgrade instructions.
Hi @jeffeld,
What is the name of your tenant and the name of new tenant you tried 2.6? Feel free to private message me if that suits you better.
Also, can you try rotating the api key and republishing the rule on the authz-extension’s configuration page?
Hi there,
I want to update from 2.4 to 2.6 as well. What are the necessary steps after updating the extension?
Rotating the api key and republishing the rule on the authz-extension’s configuration page or what is doing the trick?
Hi @umut.benzer ,
I am also having the same issue after updating to 2.6 on one of our testing environments. Another one of our testing environments we have not yet update, and are not experiencing any problems.
We have noticed that the users on the environment that is still working have groups, roles and permissions assigned to them.
But users on the environment that is not working only have groups, but not roles or permissions.
Please let me know if this is a bug on your side, or if there is anything we need to do to update.
Thanks
Recreating the Auth0 Authorization extension rule fixed this for us.
Also, it looks like from the changelog (auth0-authorization-extension/CHANGELOG.md at master · auth0/auth0-authorization-extension · GitHub) that the sameSite changes are implemented in version 2.7, but i was only able to update to version 2.6.
Hi @sam.cumming,
We delayed releasing 2.7 to new enrollments temporarily as we got some reports from customers that we wanted to investigate first. We’ll continue releasing a version with SameSite changes included in the upcoming days.
Once we complete the release, changelog and the versions available will match each other. 
Hi @mwess,
We updated our documentation to have instructions to upgrade from a version <2.6 to a version >2.6. You can reach it here.
I suggest to test this, and any similar change in general, on a test tenant before applying on production.
Have a nice day all! 
Hi @umut.benzer,
We’re having this issue as well. We upgraded from 1.x (not sure exactly which version) to 2.8 and then our users started getting a blank page when they log in to our application. I rotated the API key as described, but still all of the user logins fail like this:
Any help would be appreciated. Thanks!
Can you describe how you use the authorization extension in your rules?
Also, capturing real time logs from webstask while running rules could help to gather a lead that could pinpoint the issue.
Also, if possible can you share your tenant name and region? Feel free to send as private message, if you prefer doing so.
Updated from 2.4. to 2.8 (2.6 was not available anymore). Did the steps in documentation and we can not login anymore. Please advise what changed and what we can do.
Hi @mwess, 
What is the name of your tenant and region? Feel free to private message me if that suits you better.
In addition to this, can you check the rules you have? The name of the rule published by the extension is auth0-authorization-extension. If you see any other rules, such as auth0-authz or others that you don’t recognize, can you try disabling it?
Please note that changing the order or the rules and/or disabling them might change the authorization responses, depending on the context of the rule, so please be careful not to give access to people that shouldn’t have in the progress.
If this doesn’t solve your problem, I would appreciate if you send me the real time logs captured by Real-time Webtask Logs. (screenshotted in the previous message)
@umut.benzer Thanks for your message
We had an old URL in our rules. After the change it worked.
Cheers!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
