Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions main/config/redirects.json
Original file line number Diff line number Diff line change
Expand Up @@ -22510,5 +22510,17 @@
{
"source": "/docs/ja-jp/api/authentication/user-profile-legacy/get-token-info-legacy",
"destination": "/docs/ja-jp/api/authentication/user-profile-legacy/get-token-info"
},
{
"source": "/docs/libraries/lock/:path*",
"destination": "/docs/authenticate/login/auth0-universal-login"
},
{
"source": "/docs/fr-ca/libraries/lock/:path*",
"destination": "/docs/fr-ca/authenticate/login/auth0-universal-login"
},
{
"source": "/docs/ja-jp/libraries/lock/:path*",
"destination": "/docs/ja-jp/authenticate/login/auth0-universal-login"
}
]
2 changes: 1 addition & 1 deletion main/docs/api.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ description: Auth0 exposes the following APIs for developers to consume in their
<Column>
The Authentication API exposes identity functionality for Auth0 and supported identity protocols (including OpenID Connect, OAuth, and SAML).

Typically, you should consume this API through one of the Auth0 SDKs, such as [Auth0.js](/docs/libraries/auth0js), or a library like [Lock](/docs/libraries/lock). However, if you are building your authentication UI manually, you will need to call the Authentication API directly.
Typically, you should consume this API through one of the Auth0 SDKs, such as [Auth0.js](/docs/libraries/auth0js). However, if you are building your authentication UI manually, you will need to call the Authentication API directly.
</Column>

<Column>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,4 @@ The mappings in the previous steps are the most commonly used, but if you need a
Now that you have a working connection, the next step is to configure your application to use it. You can follow our step-by-step quickstarts or use our libraries and API.

* [Get started with our Quickstarts](/docs/quickstarts)
* [Configure your application using our Lock login form](/docs/libraries/lock)
* [Configure your application using our Auth0.js library and your own UI](/docs/libraries/auth0js)
* [Use our Authentication API to authenticate](https://auth0.com/docs/api/authentication)
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ In such instances, your user will need to be re-prompted to grant permission to

By setting the **prompt=consent** parameter when calling the [/authorize](https://auth0.com/docs/api/authentication/reference#social) endpoint of the [Authorization API](https://auth0.com/docs/api/authentication), your user will be prompted again to grant permissions for your application.

This parameter can also be set using Lock as an [Authentication Parameter](/docs/libraries/lock/lock-authentication-parameters) with **prompt: 'consent'**.
This parameter can also be set using Lock with **prompt: 'consent'**.

Alternatively, you can set this with [Auth0.js](https://github.com/auth0/auth0.js) using **prompt: 'consent'**.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,13 @@ This method uses the Universal Login Experience, which natively supports Passwor

## Universal Login + Lock (passwordless)

This method uses a custom login page with the **Lock (passwordless)** template, and authenticates user with the [Lock for Web SDK](/docs/libraries/lock):
This method uses a custom login page with the **Lock (passwordless)** template:

1. Go to [Dashboard > Branding > Universal Login](https://manage.auth0.com/#/login_settings) and click the **Login** tab.
2. Enable the **Custom Login Page** toggle, and select the **Lock (passwordless)** template. The HTML template will update with code using the Lock widget with Passwordless customization options.
3. Customize the template, and click **Save Changes**.

You can use HTML and CSS to customize the login form, and preview the changes within the Dashboard. To learn more about how to customize the **Lock (passwordless)** template, read the Passwordless section in [Lock for Web SDK](/docs/libraries/lock).
You can use HTML and CSS to customize the login form, and preview the changes within the Dashboard.
Comment on lines 15 to +23

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks like this whole section is referring to lock.


## Universal Login + Custom UI + Auth0.js

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,16 @@ To help you choose the best solution for your needs, the table below compares th
| **WebAuthn and device biometrics** | [Yes](/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn) | No |
| **Web Content Accessibility Guidelines (WCAG) Compliance** | Yes | No |
| **Organizations support** | [Yes](/docs/manage-users/organizations) | No |
| **Terms of service acceptance on signup** | Yes | [Yes](/docs/libraries/lock/lock-configuration#showterms-boolean-) |
| **Custom fields on signup** | Yes | [Yes](/docs/libraries/lock/lock-configuration#additionalsignupfields-array-) |
| **Terms of service acceptance on signup** | Yes | Yes |
| **Custom fields on signup** | Yes | Yes |
| **Full localization** | Yes, in [these](/docs/customize/internationalization-and-localization/universal-login-internationalization) languages | Only for the login page |
| **Customizable localized text on all pages** | [Yes](/docs/customize/login-pages/universal-login/customize-text-elements) | No |
| **Email MFA** | [Yes](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-email-notifications-for-mfa) | No |
| **Voice MFA** | [Yes](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors/configure-sms-voice-notifications-mfa) | No |
| **Duo MFA** | Yes, but Duo must be the only MFA factor enabled | Yes |
| **MFA customization with Actions** | [Yes](/docs/secure/multi-factor-authentication/customize-mfa/customize-mfa-selection-universal-login) | No |
| **Buttons for enterprise connections** | [Yes](/docs/authenticate/login/auth0-universal-login/identifier-first#define-home-realm-discovery-identity-providers) | No |
| **Ability to disable self-service password recovery** | Yes | [Yes](/docs/libraries/lock/lock-configuration#allowforgotpassword-boolean) |
| **Custom URLs for password reset and user signup** | Yes, using page templates **and** a custom-built password reset or signup page | [Yes](/docs/libraries/lock/lock-configuration#forgotpasswordlink-string-) |
| **Ability to disable self-service password recovery** | Yes | Yes |
| **Custom URLs for password reset and user signup** | Yes, using page templates **and** a custom-built password reset or signup page | Yes |
| **Kerberos support for AD/LDAP connections** | No | [Yes](/docs/authenticate/identity-providers/enterprise-identity-providers/active-directory-ldap/ad-ldap-connector/configure-ad-ldap-connector-with-kerberos#auto-login-with-lock) |
| **Requires exposing identity provider domains in a public endpoint** | No | [Yes](/docs/get-started/tenant-settings#advanced) |
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ title: Classic Login Experience
---
Classic Login is an Auth0-hosted login experience that relies on JavaScript for customization. Implementing Classic Login is less complex than embedding the authentication process directly in your app, and it can help prevent the dangers of cross-origin authentication.

Classic Login is built on top of Auth0's JavaScript libraries ([Lock.js](/docs/libraries/lock), [auth0.js](/docs/libraries/auth0js), <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> Widget, and Password Reset). When customizing Classic Login pages in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>, the default templates use the same JavaScript libraries to create a more natural transition between the default user interface and a custom one.
Classic Login is built on top of Auth0's JavaScript libraries (Lock.js, [auth0.js](/docs/libraries/auth0js), <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> Widget, and Password Reset). When customizing Classic Login pages in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>, the default templates use the same JavaScript libraries to create a more natural transition between the default user interface and a custom one.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this sentence still mentions lock.js even with the link removed. is that what we want?


After choosing a default template for your Classic Login pages, you can modify it to meet your needs. You can also customize a variety of behavioral and appearance elements of the Lock widget. The Auth0.js templates offer additional flexibility as you can create a custom user interface and modify it to match your application's style.

Expand Down
3 changes: 1 addition & 2 deletions main/docs/authenticate/login/embedded-login.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ title: Embedded Login
---
Embedded Login allows your users to log directly into your application and transmit their credentials to the Auth0 server for authentication. We do not recommend using Embedded Login. To learn more, read [Centralized Universal Login vs. Embedded Login](/docs/authenticate/login/universal-vs-embedded-login).

If you decide to use Embedded Login, you must [configure your application for Cross-Origin Resource Sharing](/docs/get-started/applications/set-up-cors) and should [configure a custom domain](/docs/customize/custom-domains). You can then implement the [Lock SDK](/docs/libraries/lock) or [Auth0.js SDK](/docs/libraries/auth0js) within your application, or call the [Auth0 Authentication API](https://auth0.com/docs/api/authentication) directly.
If you decide to use Embedded Login, you must [configure your application for Cross-Origin Resource Sharing](/docs/get-started/applications/set-up-cors) and should [configure a custom domain](/docs/customize/custom-domains). You can then implement the [Auth0.js SDK](/docs/libraries/auth0js) within your application, or call the [Auth0 Authentication API](https://auth0.com/docs/api/authentication) directly.

Auth0 supports Embedded Login with <Tooltip tip="Passwordless: Form of authentication that does not rely on a password as the first factor." cta="View Glossary" href="/docs/glossary?term=Passwordless">Passwordless</Tooltip> connections for multiple application types:

Expand All @@ -14,6 +14,5 @@ Auth0 supports Embedded Login with <Tooltip tip="Passwordless: Form of authentic

## Learn more

* [Lock for Web](/docs/libraries/lock)
* [Auth0.js v9 Reference](/docs/libraries/auth0js)
* [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication)
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ The `prompt=login` mechanism can be subverted by simply stripping the parameter

However, you should not rely on it to validate that a fresh authentication took place. To mitigate this, the client must validate that re-authentication has taken place using the `auth_time` claim. This claim will be included automatically in the <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> when `prompt=login` or `max_age=0` parameters are given in the authentication request.

You need to pass the `max_age` parameter to the Authorization API [`/authorize` endpoint](https://auth0.com/docs/api/authentication). If you use [Auth0.js](/docs/libraries/auth0js) or [Lock](/docs/libraries/lock/lock-authentication-parameters), you can set the parameter in the appropriate options of the library.
You need to pass the `max_age` parameter to the Authorization API [`/authorize` endpoint](https://auth0.com/docs/api/authentication). If you use [Auth0.js](/docs/libraries/auth0js), you can set the parameter in the appropriate options of the library.

How you implement re-authentication depends on your specific use-case. Make a distinction between simple re-authentication for sensitive operations vs. [step-up](/docs/secure/multi-factor-authentication/step-up-authentication) (i.e. <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=multi-factor+authentication">multi-factor authentication</Tooltip>) for sensitive operations. Both are valid security measures. The former requires the end user to re-enter their password, whereas the latter requires them to use a pre-configured means of multifactor authentication as well.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ For web applications, embedded login uses [cross-origin authentication](/docs/au

| Feature | Hosted | Embedded |
| --- | --- | --- |
| **[Single Sign-on](/docs/authenticate/single-sign-on)** | Full support with Universal Login through the use of [session cookies](/docs/manage-users/sessions) on the Auth0 Authorization Server (your Auth0 tenant). | Limited support. Web applications that use the [Lock](/docs/libraries/lock/lock-api-reference#checksession-) or [Auth0.js](/docs/libraries/auth0js#using-checksession-to-acquire-new-tokens) libraries can share sessions. Native applications can share sessions with web applications through [Native to Web SSO](/docs/authenticate/single-sign-on/native-to-web). |
| **[Single Sign-on](/docs/authenticate/single-sign-on)** | Full support with Universal Login through the use of [session cookies](/docs/manage-users/sessions) on the Auth0 Authorization Server (your Auth0 tenant). | Limited support. Web applications that use the [Auth0.js](/docs/libraries/auth0js#using-checksession-to-acquire-new-tokens) library can share sessions. Native applications can share sessions with web applications through [Native to Web SSO](/docs/authenticate/single-sign-on/native-to-web). |
| **[Customization](/docs/customize)** | Universal Login allows you to easily customize many parts of the experience (including theming, page templates, text elements, and prompts).<br/><br/>Full customization is supported through [Advanced Customizations for Universal Login.](/docs/customize/login-pages/advanced-customizations) | Highest degree of customization, since you fully control the UI/UX of your application. |
| **Feature management** | Features can be centrally managed within the Auth0 Dashboard or through the Auth0 Management API.<br/><br/>For example, when you enable/disable MFA in your Dashboard, it will be immediately reflected in subsequent user logins. | Features must be managed for each application individually.<br/><br/>For example, if you wanted to implement MFA for your web application and for your native application, you’d have to update and release new versions for both. |
| **User experience** | Users are redirected between your application and the Auth0 Authorization Server during authentication.<br/><br/>For native applications, this requires implementation of universal/deep links. | Users remain in your application during authentication. |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,7 @@ import { ReleaseStageNotice } from "/snippets/ReleaseStageNotice.jsx"
Embedded login for web applications uses [cross-origin authentication](/docs/authenticate/login/cross-origin-authentication) unless you [configure a custom domain](/docs/customize/custom-domains) for your tenant. Cross-origin authentication uses third-party cookies to allow for secure authentication transactions across different origins.
</Warning>

## Using Auth0's SDKs to implement Embedded Login

You can implement <Tooltip tip="Passwordless: Form of authentication that does not rely on a password as the first factor." cta="View Glossary" href="/docs/glossary?term=Passwordless">Passwordless</Tooltip> Login using Auth0's Lock widget, or if you need complete control of the user experience, you can implement it using Auth0.js:

* [Lock for Web](/docs/libraries/lock)
* [Auth0.js v9 Reference](/docs/libraries/auth0js)

### Configure Cross-Origin Resource Sharing (CORS)
## Configure Cross-Origin Resource Sharing (CORS)

For security purposes, your app's origin URL must be listed as an approved URL. If you have not already added it to the **Allowed Callback URLS** for your application, you will need to add it to the list of **Allowed Origins (CORS)**.

Expand All @@ -33,7 +26,7 @@ For security purposes, your app's origin URL must be listed as an approved URL.

Customize <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> with embedded flows. Use the MFA API to allow users to enroll and challenge with factors of their choice that are supported by your application.

When using [Lock for Web](/docs/libraries/lock#2-authenticating-and-getting-user-info), the `oauth/token` endpoint returns the `mfa_required` error and includes the `mfa_token` you need to use the MFA API and `mfa_requirements` parameter with a list of authenticators your application currently supports:
When your application calls the `oauth/token` endpoint and MFA is required, the endpoint returns the `mfa_required` error and includes the `mfa_token` you need to use the MFA API and `mfa_requirements` parameter with a list of authenticators your application currently supports:

```json lines
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -734,7 +734,7 @@ The `/passwordless/start` endpoint has a [rate limit](/docs/troubleshoot/custome

Customize <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> with embedded flows. Use the MFA API to allow users to enroll and challenge with factors of their choice that are supported by your application.

When using [Lock for Web](/docs/libraries/lock#2-authenticating-and-getting-user-info), the `oauth/token` endpoint returns the `mfa_required` error and includes the `mfa_token` you need to use the MFA API and `mfa_requirements` parameter with a list of authenticators your application currently supports:
The `oauth/token` endpoint returns the `mfa_required` error and includes the `mfa_token` you need to use the MFA API and `mfa_requirements` parameter with a list of authenticators your application currently supports:

```json lines
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ You can also view step-by-step instructions on how to [configure many SAML ident

## Auth0 as service provider

If Auth0 serves as the service provider in a SAML federation, Auth0 can route authentication requests to an identity provider without already having an account pre-created for a specific user. Using the assertion returned by the identity provider, Auth0 can capture information needed to create a user profile for the user (this process is sometimes called just-in-time provisioning). To learn more, read [Select from Multiple Connection Options](/docs/libraries/lock/selecting-from-multiple-connection-options).
If Auth0 serves as the service provider in a SAML federation, Auth0 can route authentication requests to an identity provider without already having an account pre-created for a specific user. Using the assertion returned by the identity provider, Auth0 can capture information needed to create a user profile for the user (this process is sometimes called just-in-time provisioning).

Even though Auth0 doesn't require pre-created user accounts prior to the authentication process, the application integrated with Auth0 might. If this is the case, you have several options when it comes to handling this:

Expand Down
1 change: 0 additions & 1 deletion main/docs/authenticate/single-sign-on.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@ The easiest and most secure way to implement Single Sign-on (SSO) with Auth0 is

If you cannot use Universal Login with your application, review the following for additional info on embedded authentication:

* [Lock](/docs/libraries/lock/lock-api-reference)
* [Auth0.js](/docs/libraries/auth0js)

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
Expand Down
Loading
Loading