Location of Tenant's Global Client ID and Secret

rueben.tiow · October 27, 2023, 10:45pm

Problem statement

When considering whether to use the “Global_Client_ID” in the development of a custom SSO solution for which SAML connections will be provisioned, the plan is to create a User Interface in a custom dashboard that would allow trusted ‘downstream’ customers to add their Identity Provider as SSO entities.

However, the Auth0 documentation provides very little information about the role of the Global Client.

Explain the role of the Global Client, the Global Client ID, and the Global Client Secret.
Describe what relevance they have to modern customer Identity Management and Access projects.

Cause

The concept of the Global Client is largely a legacy feature. For this reason, there is no detailed public documentation.

Solution

The origins of the Global Client

During the process of tenant creation, a Global Client is created and assigned a unique Global Client ID and a Global Client Secret. It is a special client that is not normally visible in the “Applications” section of the dashboard.

The Global Client is also known as the “All Applications” client, so it may reasonably expected to be found in the Applications section of the dashboard:

Login to the Auth0 dashboard as a tenant member ( Administrator ).
Navigate Applications > Applications.
Inspect the list of deployed Applications.

However, no “All Applications” client will be found in the list of deployed applications.

View configuration settings

An examination of the tenant settings will confirm that the Global Client does indeed exist:

Login to the Auth0 dashboard as a tenant member ( Administrator ).
Click Settings from the menu.
Click Advanced option from the horizontal menu.
Scroll down to see the section called “Global Client Information”.
The panel shows the unique Global Client ID (omitted from the graphic below) and its associated Global Client Secret.

image1508×346 73.5 KB

Further information about the Global Client can be obtained via the Management API. Make a call to the Get-a-Client endpoint ( GET /api/v2/clients/{client-id} ). Provide the Global Client ID as the argument to the call.

Avoid use in new projects

The Global Client ID and Global Client Secret are legacy features, originally intended for use with the old Auth0 API ( Version 1 ), which became end-of-life in July 2020. These parameters are likely to be removed in a future release of Auth0. The Global Client ID should not be used in any new projects.

Topic		Replies	Views
Possible to disable global API/Secret? Get Help api , security	4	4040	March 2, 2018
I have an unknown strange client ID making api request to my auth0 domain and audience Get Help user-profile , user-management	2	1232	April 10, 2023
Best deployment practice for securing ClientID and Secret Get Help auth0 , deployment , management-api	3	3894	April 13, 2019
Exposing client id and client secret to clients Get Help configuration , application	4	1563	November 30, 2022
Multi tenant solution Get Help multi-tenant	2	3379	February 15, 2019