Overview
This article explains the behavior of the /authorize endpoint when the connection parameter is not explicitly provided. The default connection used is determined by the tenant’s API Authorization Settings, particularly the “Default Directory” value.
Applies To
- Auth0 Tenants
- Multiple Enabled Connections (e.g., Passwordless and Database)
- /authorize calls made without Connection Parameter
Cause
The tenant’s API Authorization Settings include a field labeled Default Directory under the General tab. This setting determines which connection is used as the default when the connection parameter is omitted in /authorize calls.
If the Default Directory is set to a specific connection, like email or SMS for Passwordless, that connection will be used by default.
If the Default Directory is undefined, the default behavior prioritizes the Database connection, for example, email or password.
Differences in behavior between environments, like development vs. production, may occur if the Default Directory configuration is not consistent across tenants.
Solution
To ensure consistent behavior when using /authorize without specifying the connection parameter:
- Navigate to the Tenant Settings in the Auth0 Dashboard.
- Under the General tab, locate Default Directory in the API Authorization Settings.
- Ensure this value matches across all environments (for example, production and development).
Set or Remove the Default Directory:
- To default to a Passwordless connection, set the Default Directory to the desired connection (for example, email or sms).
- To prioritize the Database connection, leave the Default Directory field undefined.
Recommendation:
Conduct a thorough review of all tenant settings to ensure parity between environments before enabling changes in production.