Merge branch 'Adrianalive:master' into master

.github/workflows/semgrep.yml

@@ -5,9 +5,11 @@ jobs:
   semgrep:
     name: Scan
     runs-on: ubuntu-latest
+    container:
+      image: returntocorp/semgrep
     if: (github.actor != 'dependabot[bot]' && github.actor != 'snyk-bot')
     steps:
-      - uses: actions/checkout@v2
-      - uses: returntocorp/semgrep-action@v1
-        with:
-          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+      - uses: actions/checkout@v3
+      - run: semgrep ci
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}

README.md

@@ -1,6 +1,6 @@
 # Auth0 Documentation
 
-This repository contains the Auth0 Quickstarts, but most other documentation content in this repository is no longer up to date, and is not the source of content at https://auth0.com/docs. Pull requests and issues for Quickstarts can still be submitted here, but most other content is no longer hosted on GitHub and therefore no longer open-source. If you are an Auth0 employee trying to make a change to other documenation, please [submit a ticket](https://auth0team.atlassian.net/servicedesk/customer/portal/9) or contact the Documentation Team to request access to our content management system.
+This repository contains the Auth0 Quickstarts, but most other documentation content in this repository is no longer up to date, and is not the source of content at https://auth0.com/docs. Pull requests and issues for Quickstarts can still be submitted here, but most other content is no longer hosted on GitHub and therefore no longer open-source. If you are an Auth0 employee trying to make a change to other documentation, please [submit a ticket](https://auth0team.atlassian.net/servicedesk/customer/portal/9) or contact the Documentation Team to request access to our content management system.
 
 
 **Please review the [Contributing Guidelines](CONTRIBUTING.md) before sending a PR or opening an issue.**

articles/_includes/_http-method.html

@@ -1,4 +1,4 @@
-<h5 class="http-method-box">
+<h3 class="http-method-box">
   <span class="badge ${http_badge.toLowerCase()}" href="${link}">${http_method}</span>
   <span class="path" href="${link}">${path}</span>
-</h5>
+</h3>

articles/_includes/_test-this-endpoint.md

@@ -1,5 +1,4 @@
-You can use our **Authentication API Debugger** extension to test this endpoint. To do so, you need to be logged in and have installed the [Authentication API Debugger extension](/extensions/authentication-api-debugger).
-
+<!-- markdownlint-disable MD024 MD034 MD041-->
 Click on **Install Debugger** to go to the article that explains how (you only have to do this once).
 
 <%

articles/api/authentication/_change-password.md

@@ -7,14 +7,15 @@ Content-Type: application/json
   "client_id": "${account.clientId}",
   "email": "EMAIL",
   "connection": "CONNECTION",
+  "organization": "ORGANIZATION_ID"
 }
 ```
 
 ```shell
 curl --request POST \
   --url https://${account.namespace}/dbconnections/change_password \
   --header 'content-type: application/json' \
-  --data '{"client_id": "${account.clientId}","email": "EMAIL", "connection": "CONNECTION"}'
+  --data '{"client_id": "${account.clientId}","email": "EMAIL", "connection": "CONNECTION", "organization": "ORGANIZATION_ID"}'
 ```
 
 ```javascript
@@ -28,7 +29,8 @@ curl --request POST \
 
   webAuth.changePassword({
     connection: 'CONNECTION',
-    email:   'EMAIL'
+    email:   'EMAIL',
+    organization: 'ORGANIZATION_ID'
   }, function (err, resp) {
     if(err){
       console.log(err.message);
@@ -52,9 +54,11 @@ curl --request POST \
 "We've just sent you an email to reset your password."
 ```
 
-Given a user's `email` address and a `connection`, Auth0 will send a change password email.
+Send a change password email to the user's provided email address and `connection`.
 
-This endpoint only works for database connections.
+Optionally, you may provide an Organization ID to support Organization-specific variables in [customized email templates](/customize/email/email-templates#common-variables) and to include the `organization_id` and `organization_name` parameters in the **Redirect To** URL.
+
+Note: This endpoint only works for database connections.
 
 ### Request Parameters
 
@@ -63,6 +67,7 @@ This endpoint only works for database connections.
 | `client_id` | The `client_id` of your client. We strongly recommend including a Client ID so that the email template knows from which client the request was triggered. |
 | `email` <br/><span class="label label-danger">Required</span> | The user's email address. |
 | `connection` <br/><span class="label label-danger">Required</span> | The name of the database connection configured to your client. |
+| `organization` | The `organization_id` of the Organization associated with the user. |
 
 
 ### Remarks
@@ -74,9 +79,9 @@ This endpoint only works for database connections.
   * `X-RateLimit-Reset`: Remaining time until the rate limit (`X-RateLimit-Limit`) resets. The value is in [UTC epoch seconds](https://en.wikipedia.org/wiki/Unix_time).
 
 
-### More Information
+### Learn More
 
 - [Changing a User's Password](/connections/database/password-change)
 - [Password Strength in Auth0 Database Connections](/connections/database/password-strength)
 - [Password Options in Auth0 Database Connections](/connections/database/password-options)
-- [Auth0 API Rate Limit Policy](/policies/rate-limits)
+- [Auth0 API Rate Limit Policy](/troubleshoot/customer-support/operational-policies/rate-limit-policy/rate-limit-configurations)

articles/api/authentication/_introduction.md

@@ -2,7 +2,7 @@
 
 The Authentication API enables you to manage all aspects of user identity when you use Auth0. It offers endpoints so your users can log in, sign up, log out, access APIs, and more. 
 
-The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, [OAuth 2.0](/protocols/oauth2), and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>.
+The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, <dfn data-key="oath2"> [OAuth 2.0](/protocols/oauth2)</dfn>, <dfn data-key="fapi">[FAPI](/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-)</dfn> and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>.
 
 :::note
 This API is designed for people who feel comfortable integrating with RESTful APIs. If you prefer a more guided approach check out our [Quickstarts](/quickstarts) or our [Libraries](/libraries).
@@ -14,20 +14,25 @@ The Authentication API is served over HTTPS. All URLs referenced in the document
 
 ## Authentication methods
 
-You have three options for authenticating with this API:
+You have five options for authenticating with this API:
 - OAuth2 <dfn data-key="access-token">Access Token</dfn>
+- Client ID and Client Assertion (confidential applications)
 - Client ID and Client Secret (confidential applications)
 - Client ID (public applications)
+- mTLS Authentication (confidential applications)
 
 ### OAuth2 Access Token
 
 Send a valid Access Token in the `Authorization` header, using the `Bearer` authentication scheme.
 
 An example is the [Get User Info endpoint](#get-user-info). In this scenario, you get an Access Token when you authenticate a user, and then you can make a request to the [Get User Info endpoint](#get-user-info), using that token in the `Authorization` header, in order to retrieve the user's profile.
 
+### Client ID and Client Assertion
+Generate a [client assertion](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt) containing a signed JSON Web Token (JWT) to authenticate. In the body of the request, include your Client ID, a `client_assertion_type` parameter with the value `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, and a `client_assertion` parameter with your signed assertion. Review [Private Key JWT]( https://auth0.com/docs/get-started/authentication-and-authorization-flow/authenticate-with-private-key-jwt) for examples.
+
 ### Client ID and Client Secret
 
-Send the Client ID and Client Secret. The method you can use to send this data is determined by the [Token Endpoint Authentication Method](https://auth0.com/docs/get-started/applications/confidential-and-public-applications/view-application-type) configured for your application.
+Send the Client ID and Client Secret. The method you can use to send this data is determined by the [Token Endpoint Authentication Method](/get-started/applications/confidential-and-public-applications/view-application-type) configured for your application.
 
 If you are using **Post**, you must send this data in the JSON body of your request.
 
@@ -39,7 +44,19 @@ An example is the [Revoke Refresh Token endpoint](#revoke-refresh-token). This o
 
 Send the Client ID. For public applications (applications that cannot hold credentials securely, such as SPAs or mobile apps), we offer some endpoints that can be accessed using only the Client ID.
 
-An example is the [Implicit Grant](#implicit-grant).
+An example is the [Implicit Grant](#implicit-flow).
+
+### mTLS Authentication
+
+Generate a certificate, either [self-signed](/get-started/applications/configure-mtls/configure-mtls-for-a-client#self-signed-certificates) or [certificate authority signed](/get-started/applications/configure-mtls/configure-mtls-for-a-client#certificate-authority-signed-certificates). Then, [set up the customer edge network](/get-started/applications/configure-mtls/set-up-the-customer-edge) that performs the mTLS handshake. 
+
+Once your edge network verifies the certificate, forward the request to the Auth0 edge network with the following headers:
+
+- The Custom Domain API key as the `cname-api-key` header.
+- The client certificate as the `client-certificate` header.
+- The client certificate CA verification status as the `client-certificate-ca-verified` header. For more information, see [Forward the Request](/get-started/applications/configure-mtls/set-up-the-customer-edge#forward-the-request-).
+
+To learn more, read [Authenticate with mTLS](/get-started/authentication-and-authorization-flow/authenticate-with-mtls). 
 
 ## Parameters
 
@@ -68,16 +85,38 @@ Each request should be sent with a Content-Type of `application/json`.
 
 You can test the endpoints using the [Authentication API Debugger](/extensions/authentication-api-debugger).
 
-### Test with the Authentication API Debugger
+### Authentication API Debugger
 
 The [Authentication API Debugger](/extensions/authentication-api-debugger) is an Auth0 extension you can use to test several endpoints of the Authentication API. 
 
-If it's the first time you use it, you have to install it using the [dashboard](${manage_url}/#/extensions). Once you do, you are ready to configure your app's settings and run your tests. 
+<%= include('../../_includes/_test-this-endpoint') %>
+
+### Configure Connections
+
+1. On the *Configuration* tab, set the fields **Application** (select the application you want to use for the test) and **Connection** (the name of the social connection to use).
+
+1. Copy the <dfn data-key="callback">**Callback URL**</dfn> and set it as part of the **Allowed Callback URLs** of your [Application Settings](${manage_url}/#/applications).
+
+1. At the *OAuth2 / OIDC* tab, select **OAuth2 / OIDC Login**.
+
+### Endpoint options
+Configure other endpoints with the following options:
+
+- Passwordless: On the *OAuth2 / OIDC* tab, set **Username** to the user's phone number if `connection=sms`, or the user's email if `connection=email`, and **Password** to the user's verification code. Click **Resource Owner Endpoint**.
+- SAML SSO:  On the *Other Flows* tab, select **SAML**.
+- WS-Federation: On the *Other Flows* tab, select **WS-Federation**.
+- Logout: On the *Other Flows* tab, select **Logout**, or **Logout (Federated)** to log the user out of the identity provider as well.
+- Legacy Login: On the *OAuth2 / OIDC* tab, set the fields **ID Token**, **Refresh Token** and **Target Client ID**. Click **Delegation**.
+- Legacy Delegation: On the *OAuth2 / OIDC* tab, set **Username** and **Password**. Click **Resource Owner Endpoint**.
+- Legacy Resource Owner:  On the *OAuth2 / OIDC* tab, set the **Username** and **Password**, then select **Resource Owner Endpoint**.
+
+### Authentications flows
+
+Configure authentication flows with the following options:
+- Authorization Code Flow: On the *OAuth2 / OIDC* tab, set the field **Authorization Code** to the code you retrieved from [Authorization Code Grant](/get-started/authentication-and-authorization-flow/authorization-code-flow), and the **Code Verifier** to the key. Click **OAuth2 Code Exchange**.
+- Authorization Code Flow + PKCE: On the *OAuth2 / OIDC* tab, set the field **Authorization Code** to the code you retrieved from [Authorization Code Grant](/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce), and the **Code Verifier** to the key. Click **OAuth2 Code Exchange**.
+- Client Credential Flow:  On the *OAuth2 / OIDC* tab, select **OAuth2 Client Credentials**.
 
-Note that its URL varies according to your tenant's region:
-- <a href="https://${account.tenant}.us.webtask.io/auth0-authentication-api-debugger" target="_blank">US West</a>
-- <a href="https://${account.tenant}.eu.webtask.io/auth0-authentication-api-debugger" target="_blank">Europe Central</a>
-- <a href="https://${account.tenant}.au.webtask.io/auth0-authentication-api-debugger" target="_blank">Australia</a>
 
 ## Errors