Overview
The Auth0 service allowed passing an organization
parameter in client credentials exchanges without triggering additional validation when processing the request. More specifically, the organization
parameter would be treated as an unrecognized parameter, thus allowing any value to be present.
After June 12, 2025, the service will roll out a change to ensure that requests for client credentials exchanges, including a parameter named organization
, are handled following the rules of Machine-to-Machine (M2M) Access for Organizations across all tenants.
The above implies that the request may fail if it does not meet the requirements for the corresponding feature. For example, it will fail if the tenant subscription is not entitled to use the feature or if the value contained within the organization
parameter does not correspond to a valid organization identifier associated with the tenant.
Applies To
- End of Life (EOL)
- Organizations
- Machine-to-Machine (M2M) Access
Cause
To provide the new functionality associated with Machine-to-Machine access for Organizations in a way that is consistent with other organization-related functionality across the product, the organization
parameter in client credentials had to be considered a built-in service parameter.
Tenants with client credentials requests dependent on the original behavior received notifications ahead of the change to migrate away from the deprecated behavior.
Solution
Client credentials requests including an organization
parameter and expecting that the service does not perform any validation of said parameter will need to update their implementation. For example, either:
- Use the
organization
parameter in alignment with the requirements for the Machine-to-Machine (M2M) Access for Organizations feature. - Rename the parameter to ensure the service continues treating it as unrecognized while allowing its value to surface to custom extensibility.
- Stop including the parameter in the request.