End-of-life Rollout for Allow Connections Management without Options Scopes

Overview

The end-of-life date for allowing connection management without options-specific scopes was April 24, 2025. After this date, the deprecated behavior will progressively cease to be available. The process to remove access to the deprecated behavior has the following stages:

  • May 5, 2025 - Roll out the removal of access for tenants associated with free subscriptions.
  • (pending date) - Roll out the removal of access for tenants tagged as development or staging tenants.
  • (pending date) - Roll out the removal of access for outstanding tenants, including production tenants.

The dates above mark the day the rollout for a particular stage starts; each rollout may take several days, so different tenants in the same segment may observe the change on different days. This article will receive updates as information related to the complete timeline for enforcing the new behavior becomes available.

Once the deprecated behavior is unavailable in a given tenant, using the Management API to retrieve (GET - /api/v2/connections or /v2/connections/{id}) or update (PATCH - /v2/connections/{id}) a connection’s options field may require having the respective read:connections_options and update:connections_options scopes granted to the client application, in addition to the previously required read:connections or update:connections scopes.

The lack of newer options-specific scopes in the access token used to perform requests to these endpoints may lead to the options field not being returned within the response messages’ content or to error responses.

For example, an attempt to update (PATCH) a connection that includes the options field in the request message content will receive an error response if the access token lacks the update:connections_options scope. More specifically, a 403 (Forbidden) status code, and the response content contains the following:

{
  "statusCode": 403,
  "error": "Forbidden",
  "message": "Updating the \"options\" property requires the \"update:connections_options\" scope.",
  "errorCode": "insufficient_scope"
}

Applies To

  • Management API
  • Connections
  • End of Life (EOL)

Cause

The changes to the behavior of the endpoints mentioned above are expected and associated with the deprecation of the previous service behavior originally announced on October 25, 2024. The information provided as part of the original announcement is available in the respective Dashboard and Support Center notification.

Solution

Any client application registered within a given tenant that requires the ability to call the impacted endpoints to read or update a connection’s options field must have the scopes read:connections_options and update:connections_options in addition to the previously required read:connections or update:connections scopes.

The Auth0 Dashboard allows adding the necessary scopes to the applicable client applications:

  1. Navigate to Applications > Applications and choose a machine-to-machine application.
  2. Access the APIs tab. Then, select the down-arrow icon next to Auth0 Management API to expand the section.
  3. In the Permissions section, search for connections_options. Enable one or both of the new permissions. Then, choose Update to save the changes.