My org received an email from Auth0 saying the following:
’
Auth0 is improving client management for connections in the Management API. The new functionality replaces the now-deprecated enabled_clients field when getting and patching connection information.
The enabled_clients field is deprecated and will soon no longer be supported in (GET - /api/v2/connections) and (GET/PATCH - /api/v2/connections/{id}) Management API endpoints.
How are you affected?
Between April 13 and May 13, at least one of your tenants received requests to the Management API connection endpoints that are subject to change.
The list of tenants is below:
axa-uk-cv-dev@uk
We matched potentially affected tenants based on tenant activity. If you think the list is inaccurate, contact us.
What action do you need to take?
Migrate your tenants by following the steps in Migrate Enabled Client Management to Dedicated Connection Endpoints.
Once you complete a review of applicable systems and have confidence that any outstanding `depnote` tenants’ logs are false positives, it is important that you opt out early; this allows you to verify system compatibility while also allowing you to revert to the deprecated behavior if necessary.
’
I followed the documentation mentioned in the e-mail and here are my findings: I checked ‘Legacy Management of Connection’s Enabled Clients toggle’ for both Dev and Prod tenants and it was toggled ON for both, even if only the dev tenant was mentioned in the auth0 email. I then checked the logs and ‘N/A’ appears for the client id field for literally every log of this type under prod. As for dev (and I suspect this is why only the dev tenant was flagged in auth0’s email to us, not prod), all of them had ‘N/A’ except for ONE application, my M2M application for my Terraform-auth0 integration. This is an application we arent even going to use btw, as it seems likely we will just just a non terraform appraoch for the ado-auth0 integration project. we have 3 installed extensions and all are up to date. Auth0 User Import Export is the only one on the list mentioned in the docs that auth0 said could cause false positives. That is all the investigating i have done.
Bearing all of that in mind, is it accurate to say no action is required on our part?