I know that
/oauth/ro has been deprecated for a while, but we haven’t yet updated to use
/oauth/token. It appears that without any communication (as far as i can tell?) legacy access was recently completely disabled from any newly created clients. While this may seem like a reasonable thing to do as it doesn’t actively break anyone’s existing application, it definitely can break peoples ability to promote across environments.
It’s broken our ability to migrate to a new environment (we’re following the Account per environment method as suggested in auth0 docs.).
Was there any reason this was done with no notification to users? It seems like providing a few months of notice about the date after which you can no longer create clients that can level legacy auth mechanisms would be reasonable to expect. Is it possible for this functionality can be re-enable and sunset in the future with proper notice??
If this is my fault and i missed the announced date, could you please point me to where these things are announced as it’s at least not obvious (e.g. nothing in support.auth0.com/notifications) so that I can follow along for future changes.
Also curious if something changed regarding the ID token?
Despite my client using HS256, the ID token I’m getting back from the
/oauth/token resource owner flow is signed with RS256. This is not the case from the
/oauth/ro which (for clients it still works with) is returning HS256 - is this intentional or is something misconfigured?