What Headers Does Auth0 Send to IDPs During Token Exchange
Last Updated:
Overview
When Auth0 uses an OIDC enterprise connection with the back channel config (Auth Code Flow), the request to the IDP’s Token endpoint does not take place in the browser. Auth0 makes that request on the server.
Backend IdP may reject the request if it is not coming from a recognized user agent. This article details what headers are sent in that request as some IDPs restrict requests by user-agent.
Applies To
- Token Exchange
- OIDC Enterprise Connection
- Auth Code Flow
Cause
Backend IDP may reject the request if it is not coming from a recognized user-agent.
Solution
Using requestbin, by modifying an OIDC connection, the headers sent from Auth0 to an IDP during the token exchange are the following:
Host: enecls43dut9u.x.pipedream.net X-Amzn-Trace-Id: Root=1-6307c966-489731701b447d6b5e16eb96 Content-Length: 270 user-agent: Auth0 (auth0.com) accept: application/json accept-encoding: gzip, deflate content-type: application/x-www-form-urlencoded
Therefore, the IDP will need to accept requests with the following user-agent:
- " Auth0 (auth0.com) "
