Auth0 Home Blog Docs

Upgrade reminder / changes to deprecation roadmap

migrationsdeprecatio

#1

UPDATE:
In our previous notification, we informed you that certain endpoints (/usernamepassword/login and /ssodata) would be removed from service on April 1, 2018. This update is to notify you that the Removal of Service date for those endpoints has been extended to July 16, 2018.

We still encourage you to migrate your applications to the latest version of Lock 11 and Auth0.js 9 as soon as possible in order to ensure that your applications continue to function properly. Please refer to our migration guides for instructions on upgrading your Auth0 implementation if necessary.

This a follow-up to our “Auth0 Roadmap and Deprecations” notification from late December 2017, to remind you of the potential need to upgrade your applications and also to inform you of changes in some of our announced endpoint deprecations.

As we previously notified customers, we are deprecating certain APIs (usernamepassword/login, /ssodata) used by Lock.js 7, 8, 9 and 10 and and auth0.js, 6, 7, 8.

If you’re currently using our Hosted Login Page, no action is needed from you. Otherwise, if you embed Lock or auth0.js in your applications, you should update them before April 1, 2018.

How to Upgrade to Lock 11 & Auth0.js 9

Listed below are links to a webinar, documents and videos with further details and guidance on the upgrade process to Lock 11 and Auth0.js 9.

Change in Plans for Other Deprecations

In our roadmap notification in late December, we also announced the planned deprecation of the following endpoints:

  • /tokeninfo
  • /delegation
  • /oauth/ro
  • /oauth/access_token
  • Usage of id_token on Management API

These endpoints are proprietary, non-standards based solutions to authentication and identity management. It has been our intention to encourage the adoption of standards-based solutions and reduce or eliminate the need for proprietary protocols, and this led to our plans for these announced deprecations.

However, based on customer feedback, we have adjusted our plans and will continue to maintain and support the above existing proprietary endpoints. We will also publish new guidance on the most effective ways to transition your applications to standards-based protocols. In the event that we need to make security enhancements to any of these legacy endpoints, we will announce timeframes and guidelines for any required changes at that time.

If you have any questions about the above, please post your question in the “Migrations / Deprecations” section of the Auth0 Community site. Thank you for your continuing partnership with Auth0.

Chris Spiek
Head of Product


April 1st Migrations / Deprecations FAQ
Important - Auth0 Public Disclosure
Public Disclosure FAQ
There was an error fetching the SSO data
Ssodata deprecation warnings
#2

Will auth0.js 8 continue to work for customised hosted login pages, as per the current recommendation? I’m using webAuth.redirect.loginWithCredentials.


#3

If you only use Auth0.js v8 or Lock 10 in your Hosted Login Page, you don’t need to upgrade.


#4

If you only use Auth0.js v8 or Lock 10 in your Hosted Login Page, you don’t need to upgrade.


#5

I’m just a bit worried as the current Auth0.js v8 code I have is definitely calling /usernamepassword/login. But if you say so… :slight_smile:


#6

Ah, I think I get it. Those APIs will remain available to hosted login pages, but not externally?


#7

Yes, those APIs will remain available within the hosted login page. However, if you’re using webAuth.redirect.loginWithCredentials from Auth0.js v8 from your app, the /usernamepassword/login will not be available. Our recommendation in that case if to migrate to the latest v9.

You can always test it by disabling the legacy APIs, as shown here: https://auth0.com/docs/libraries/lock/v11/migration-guide#disabling-legacy-lock-api


#8

Thanks for the confirmation :slight_smile:


#9

The “UPGRADE REMINDER AND CHANGES TO DEPRECATION ROADMAP” notification from Auth0 has conflicting info with https://auth0.com/docs/migrations#introducing-lock-v11-and-auth0-js-v9, which still indicates that the ‘tokeninfo’ endpoint will be deprecated.

Is the notification inaccurate or the migration page outdated? The page should be updated to avoid confusion if it’s outdated.


#10

The notification is accurate. Looks like the migration page needs to be updated, I’ll touch base with our content team, thanks for pointing this out!


#11

#12

#13

#14

We’re utilizing the Auth0 WordPress plugin. Does the latest version (3.5.2) have the latest updates for this?


#15

Yes, everything should have been addressed as of version 3.5.0.


#16

We have upgraded to Lock11 per the migration documentation and now the “Last time you logged in” functionality no longer works. The document states:

"Lock 11 will never show the Last time you logged in with window when using the Authorization Code Flow (that is, when specifying response_type=‘code’). It will always prompt for credentials.

The Last time you logged in with window will also never do a redirect, even when the redirect option is set to true. Lock11 still emits the authenticated event and you should subscribe to that event to get the authentication result.

If you want to avoid showing the Lock dialog when there’s an existing session in the server, you can use Auth0.js’s checkSession() function."

We are not using Auth0.js. Can you give an example of how to use the authenticated event that is referenced above to achieve this same functionality?


#17

When will Auth0.js version 7 stop working? April 1st or a later date? Is it just being deprecated on April 1st and then support will be removed entirely at a later date?


#18

UPDATE:
In our previous notification, we informed you that certain endpoints (/usernamepassword/login and /ssodata) would be removed from service on April 1, 2018. This update is to notify you that the Removal of Service date for those endpoints has been extended to July 16, 2018.

We still encourage you to migrate your applications to the latest version of Lock 11 and Auth0.js 9 as soon as possible in order to ensure that your applications continue to function properly. Please refer to our migration guides for instructions on upgrading your Auth0 implementation if necessary.


#19

Hi!

Is there a way that I can check if I still have any part of my code calling the old deprecated endpoints?

I think I’ve upgraded everything correctly, but I wanted to be sure of it.

Thanks!
Rick


#20

If you go to the logs section of your dashboard and then search by type:depnote this should only return entries associated with warnings coming from the system detecting usage of deprecated functionality. This should then allow you to have a better idea of what the system is (or is not) detecting in terms of deprecated functionality usage. Have in mind that logs are only available for a certain period of time so this works for checking activity up to the date for which there are logs.