Auth0 Home Blog Docs

Logins redirect to an auth0 domain, breaking password managers


#1

When I log in to a site that uses auth0, my password manager (LastPass) really wants to save that login connected to the .auth0.com/login domain. When I log in to a different site that uses auth0, all auth0 login credentials are offered as possible options.

To recreate:

  1. Visit dashboard.pantheon.io.
  2. Click the “Login with Email” button. (Note the URL is now auth0)
  3. Visit https://app.bearer.sh.
  4. Click the “Log In or Sign Up” button. (Note the URL is now auth0.)
  5. I’m asked by LastPass if I want to use my Pantheon dashboard password. :confused:

I feel like I must be doing something backward for this not to be a bigger problem for more people. But as auth0 becomes more popular, this becomes harder to manage.

Any ideas?


#2

I suppose there’s a missing step between 2 and 3 where LastPass asks if it should save my Pantheon dashboard credentials, and I say yes.

I could manually edit the saved LastPass record to point to dashboard.pantheon.io, but that’s even more frustrating because that record will never show up when the login screen is visible (because that’s the auth0 domain).


#4

Not a solution but I make sure to rename my last pass entries from ‘auth0.com’ to the full domain e.g. ‘pantheon.auth0.com’ so I can differentiate them.

One solution which is out of our hands is for Auth0 based services to start leveraging the custom domain name feature.


#5

Hi guys. A +1 to @markd 's response. Auth0 by default provides subdomains of the auth0.com domain for tenants, so it’s up to the password manager (or to the user) to differentiate between tenantA.auth0.com and tenantB.auth0.com.
Using custom domain avoids this problem altogether, at least in terms of possible collisions with other auth0.com subdomains.

I could manually edit the saved LastPass record to point to dashboard.pantheon.io, but that’s even more frustrating because that record will never show up when the login screen is visible (because that’s the auth0 domain).

When you use an external identity provider, the user is really authenticating with the identity provider and not with the application itself (a confusing concept for some users, no doubt about it, but it is what helps providing SSO to multiple applications protected by the same identity provider). In this case, you should set the URL to https://tenant.auth0.com or, ideally, to a custom domain you associated to your tenant (e.g. https://id.acme.com).


#6

Thank you and @markd for responding and sharing these ideas. When reading your suggestions I realized the problem really doesn’t have anything to do with Auth0 or their customers. The problem was that LastPass ignores subdomains by default and shows all logins for a given domain.

How can I set LastPass to treat each host or path in a domain as a separate site login?

I followed the directions and told it that Auth0 should use strict host matching. Now when each site’s login is distinct. :triumph:

Thanks again for your help!