In an OpenID Connect login flow with the Auth0 OP configured in “OIDC Conformant” mode the ID Token contains the
updated_at claim which carries an invalid value type, breaking the login flow against a number of RP implementations (the ID Token carries this claim if the RP requested the scope “profile”, which many RPs do).
That is, the OIDC ID Token emitted by Auth0 does not comply with the OIDC specification and breaks RP implementations, leading to an unsuccessful login flow. This has previously been reported in this forum (updated_at claim has wrong type), but there was no reply.
Reports of the same problem on GitHub:
Roland Hedberg, myself, Michael Schlenker, and others are in agreement that the OIDC spec is unambiguous in this regard, and that the Auth0 implementation violates it. This results in compatibility problems of pretty severe nature: we claim that our product (which uses and OIDC-compliant RP implementation) is fully OIDC compliant, but users of our product complain that it does not work with Auth0.
Especially when turning on the “OIDC Conformant” mode in the Auth0 OP settings the updated_at field must have a value of type JSON number (which is a well-defined type: http://json.org/)
“OIDC Conformant” is currently documented by Auth0 with:
Applications flagged as OIDC Conformant will strictly follow the OIDC specification.
Also on this documentation page you explicitly document that the
updated_at claim in the ID Token, if present, has a value of type “number”.