Hello, folks.
We do not want to expose the auth0 domains to our customers. Train business users to supply their credentials for our platform to any domain but ours invites phishing attacks later on, so we do not want to do that.
On the other hand, it would be nice to be able to use the hosted pages (e.g. the reset-password page).
Would it make sense to set up a proxy server that provides access to the hosted pages? What sorts of issues do you see?
Would the centralization of client requests through the proxy break Auth0 anomaly detection? Or can Auth0 hosted pages be set up to accept original sender info in headers supplied by a proxy server?
Are there other issues? (am I missing something obvious?)
The situation you describe is indeed a common one and I can confirm that we are working on the final stages to allow the use of the hosted pages in a way that does not expose your Auth0 tenant/domain directly to end-users. More information about this should be available in the next months.