What Headers Does Auth0 Send to IDPs During Token Exchange

Last Updated: Dec 16, 2024

Overview

When Auth0 uses an OIDC enterprise connection with the back channel config (Auth Code Flow), the request to the IDP’s Token endpoint does not take place in the browser, Auth0 makes that request on the server.

Backend IDP may reject the request if it is not coming from a recognized user agent. We want to know what headers are sent in that request as some IDPs restrict requests by user-agent.

Applies To

  • Token Exchange
  • OIDC Enterprise Connection
  • Auth Code Flow

Solution

Using requestbin, by modifying an OIDC connection, the headers sent from Auth0 to an IDP during the token exchange are the following:

Host: enecls43dut9u.x.pipedream.net
X-Amzn-Trace-Id: Root=1-6307c966-489731701b447d6b5e16eb96
Content-Length: 270
user-agent: Auth0 (auth0.com)
accept: application/json
accept-encoding: gzip, deflate
content-type: application/x-www-form-urlencoded

Therefore, the IDP will need to accept requests with the following user-agent

Auth0 ([auth0.com](https://auth0.com/))