What happens to the already assigned(by Auth0) domain when custom domain is added?

We are planning to have custom domain with cloudflare as reverse proxy. I was curious to know what really happens behind the scene.

When we create a custom domain,

  • What happens to default domain assigned to tenant like travel.us.auth0.com, does it still exist and cloudflare use it?
  • Does custom domain resolves to cloudflare IP or Auth0 load balancers?
  • How does Auth0 make sure that all traffic is routed through cloudflare, like through certificates?

Is there any docs around the same?

You can still use the default domain, I do in my post man recipes for the management api because it makes it more obvious which Auth0 tenant I’m working with.

1 Like

Is there a way that we can allow traffic only through cloudflare?
I guess this custom domain resolves to cloudflare right?

is there any docs around it?

Hey there @rajivk!

Have you had a chance to check out our docs on Cloudflare as a reverse proxy and Custom Domains in general?

The custom domain will resolve to Cloudflare and hence traffic, despite the Auth0 domain remaining active/available.

If someone knows our tenant names they could directly reach out to our tenants bypassing our configurations at cloudflare, Right?

This is a valid (and known) shortcoming for which I encourage you to create a Feedback Request.

After doing some digging internally, the consensus is that there 2 attack vectors against canonical domain name bypass:

  • Authentication API: You may want to reach out to support (support ticket) to inquire about allowlisting your RP (relying party) IPs.

  • Management API: The iss (issuer) claim originating from your custom domain will be different, and as long as token validation is done against the custom domain name iss any bypass shouldn’t go unnoticed.