Auth0 Home Blog Docs

Legacy Lock API


#1

Can someone please advise me how long it is expected to take for a WD to address the following? “Auth0 will end service to the deprecated Legacy Lock API due to a publicly disclosed security vulnerability. This breaking change will affect any applications still using the /usernamepassword/login or /ssodata endpoints in embedded mode. You must finish migrating your applications to avoid an outage.”


#2

:wave: @contact8 I am not sure I understand your question. Can you elaborate?

Do you have an application that you are concerned will be affected by the deprecation? If your tenant was created before Dec 27, 2017, the easiest way to verify that you don’t have any action to take would be to disable the Legacy Lock API toggle in your tenant’s Advanced settings. This will simulate the behavior after deprecation. Afterwards, try logging into your apps and doing any operations related to authentication to make sure that everything works as expected. If everything seems to work fine after turning this off, you should be all set!

Please let me know if this does not answer your question.


#3

Thanks Kim.noel. I’m totally lost. Unfortunately, I am unable to do any of this. Apart from not understanding it, I am unable to access the area. I have a WD who did it for me and he charged me 12 hours. I felt like that is a crazy long time to do what appears to be a simple task but I have no idea really. That’s why I was asking :slight_smile:


#4

I received an email with the text I quoted ain my first question. It said I have until July 16th to fix it.


#5

Oh! Totally had me lost at ‘WD’. I apologize for the confusion. It really depends on the type of application you have. Also, do you have more than one application? It’s possible you may not be affected by the depreciation. When did you receive this email? If it was recently it most probably indicates that you are in fact using deprecation endpoints somewhere. Do you know if you are using Universal Login or embedded login? Is there is a way for you to find out? For embedded, again it’ll depend on your application.

quoted from this post Important - Auth0 Public Disclosure

This article might be helpful:

Please feel free to DM me as well.


#6

Thank you. I’ll let it go because I simply do not understand any of this :confused:


#7

@contact8 can you inbox me your tenant/account name?