We note in the OIDC adoption guide, it says "As part of our efforts to improve security and standards-based interoperability, we are rolling out new features exclusively on authentication flows that strictly conform to specifications. " I am wondering if anyone can provide the rationale behind Auth0’s move to OIDC Compliance, specifically the security issues with the ‘legacy’ mode?
The legacy authentication endpoints although sharing and using some concepts also present in specification like OpenID Connect and OAuth2 do not strictly follow to the letter the specifications. In most of the cases this was unavoidable as the specification themselves were not yet complete.
As you note, the adoption guide calls the attention to two opportunities that the move to compliance enables; improved security and standards-based interoperability. For the latter there’s no big discussion, if you stick to the specification you’ll increase interoperability. However, sticking to the specifications will also improve security in general because you’re moving from a somewhat proprietary implementation only reviewed internally to an industry wide implementation that went through a rigorous review process and that is also battle-tested due to it’s common usage.