Merge branch 'master' into i18n-implementation

Author: harishsundar-okta

articles/_includes/_api_auth_intro.md

@@ -1,3 +1,3 @@
 ::: note
-**New to Auth0?** Learn [how Auth0 works](/overview) and read about [implementing API authentication and authorization ](/api-auth) using the OAuth 2.0 framework.
+**New to Auth0?** Learn <a href="/overview" target="_blank" rel="noreferrer">how Auth0 works</a> and read about <a href="/api-auth" target="_blank" rel="noreferrer">implementing API authentication and authorization</a> using the OAuth 2.0 framework.
 :::

articles/_includes/_callback_url.md

@@ -2,4 +2,4 @@
 
 ### Configure Callback URLs
 
-A callback URL is a URL in your application where Auth0 redirects the user after they have authenticated. The callback URL for your app must be added to the **Allowed Callback URLs** field in your [Application Settings](${manage_url}/#/applications). If this field is not set, users will be unable to log in to the application and will get an error.
+A callback URL is a URL in your application where Auth0 redirects the user after they have authenticated. The callback URL for your app must be added to the **Allowed Callback URLs** field in your <a href="${manage_url}/#/applications" target="_blank" rel="noreferrer">Application Settings</a>. If this field is not set, users will be unable to log in to the application and will get an error.

articles/_includes/_logout_url.md

@@ -2,7 +2,7 @@
 
 ### Configure Logout URLs
 
-A logout URL is a URL in your application that Auth0 can return to after the user has been logged out of the authorization server. This is specified in the `returnTo` query parameter. The logout URL for your app must be added to the **Allowed Logout URLs** field in your [Application Settings](${manage_url}/#/applications). If this field is not set, users will be unable to log out from the application and will get an error.
+A logout URL is a URL in your application that Auth0 can return to after the user has been logged out of the authorization server. This is specified in the `returnTo` query parameter. The logout URL for your app must be added to the **Allowed Logout URLs** field in your <a href="${manage_url}/#/applications" target="_blank" rel="noreferrer">Application Settings</a>. If this field is not set, users will be unable to log out from the application and will get an error.
 
 <% if (typeof(returnTo) !== "undefined") { %>
   ::: note

articles/_includes/_new_app.md

@@ -1,7 +1,7 @@
 ## Configure Auth0
 ### Get Your Application Keys
 
-When you signed up for Auth0, a new application was created for you, or you could have created a new one. You will need some details about that application to communicate with Auth0. You can get these details from the [Application Settings](${manage_url}/#/applications) section in the Auth0 dashboard.
+When you signed up for Auth0, a new application was created for you, or you could have created a new one. You will need some details about that application to communicate with Auth0. You can get these details from the <a href="${manage_url}/#/applications" target="_blank" rel="noreferrer">Application Settings</a> section in the Auth0 dashboard.
 
 <% if(typeof hideDashboardScreenshot === 'undefined' || hideDashboardScreenshot !== true) { %>
 ![App Dashboard](/media/articles/dashboard/client_settings.png)

articles/api/authentication/_login.md

@@ -245,8 +245,8 @@ curl --location 'https://[TENANT_DOMAIN]/bc-authorize' \
 | `binding_message` <br/><span class="label label-danger">Required</span> | Human-readable string displayed on both the device calling `/bc-authorize` and the user’s authentication device (e.g. phone) to ensure the user is approves the correct request. For example: `ABC-123-XYZ`. |
 | `login_hint` <br/><span class="label label-danger">Required</span> | String containing information about the user to contact for authentication. It uses the [IETF9493 standard for Subject Identifiers for Security Event Tokens](https://datatracker.ietf.org/doc/html/rfc9493). Auth0 only supports the [Issuer and Identifier format](https://datatracker.ietf.org/doc/html/rfc9493#name-issuer-and-subject-identifi). For an example login hint, review the [Remarks](#remarks). |
 | `scope` <br/><span class="label label-danger">Required</span> | Space-separated list of OIDC and custom API scopes. For example: `openid read:timesheets edit:timesheets`. Include `offline_access` to get a refresh token. At a minimum, you must include the scope `openid`. |
-| `audience` <br/><span class="label label-danger">Optional</span> | Unique identifier of the audience for an issued token. If you require an access token for an API, pass the unique identifier of the target API you want to access. |
-| `request_expiry` <br/><span class="label label-danger">Optional</span> | To configure a custom expiry time in seconds for this request, pass a number between 1 and 300. If not provided, expiry defaults to 300 seconds. |
+| `audience` <br/><span class="label label-primary">Optional</span> | Unique identifier of the audience for an issued token. If you require an access token for an API, pass the unique identifier of the target API you want to access. |
+| `request_expiry` <br/><span class="label label-primary">Optional</span> | To configure a custom expiry time in seconds for this request, pass a number between 1 and 300. If not provided, expiry defaults to 300 seconds. |
 
 ### Response Body
 

articles/api/authentication/_logout.md

@@ -1,3 +1,4 @@
+<!-- markdownlint-disable MD024 MD012 -->
 # Logout
 ## Auth0 Logout
 
@@ -121,13 +122,13 @@ Use this endpoint to logout a user. If you want to navigate the user to a specif
 
 | Parameter                             | Description                                                                                                                                                     |
 | :------------------------------------ | :-------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `id_token_hint` (Recommended)         | Previously issued ID Token for the user. This is used to indicate which user to log out.                                                                         |
-| `logout_hint` (Optional)              | Optional `sid` (session ID) value to indicate which user to log out. Should be provided when `id_token_hint` is not available.                                                                       |
-| `post_logout_redirect_uri` (Optional) | URL to redirect the user after the logout.                                                                                                                      |
-| `client_id` (Optional)                | The `client_id` of your application.                                                                                                                            |
-| `federated` (Optional)                | Add this query string parameter to log the user out of their identity provider: `https://YOUR_DOMAIN/oidc/logout?federated`.        |
-| `state` (Optional)                    | An opaque value the applications adds to the initial request that the authorization server includes when redirecting the back to the`post_logout_redirect_uri`. |
-| `ui_locales` (Optional)               | Space-delimited list of locales used to constrain the language list for the request. The first locale on the list must match the enabled locale in your tenant  |
+| `id_token_hint` <br/><span class="label label-primary">Recommended</span> | Previously issued ID Token for the user. This is used to indicate which user to log out.                                                                         |
+| `logout_hint` <br/><span class="label label-primary">Optional</span> | Optional `sid` (session ID) value to indicate which user to log out. Should be provided when `id_token_hint` is not available.                                                                       |
+| `post_logout_redirect_uri` <br/><span class="label label-primary">Optional</span> | URL to redirect the user after the logout.                                                                                                                      |
+| `client_id` <br/><span class="label label-primary">Optional</span> | The `client_id` of your application.                                                                                                                            |
+| `federated` <br/><span class="label label-primary">Optional</span> | Add this query string parameter to log the user out of their identity provider: `https://YOUR_DOMAIN/oidc/logout?federated`.        |
+| `state` <br/><span class="label label-primary">Optional</span> | An opaque value the applications adds to the initial request that the authorization server includes when redirecting the back to the`post_logout_redirect_uri`. |
+| `ui_locales` <br/><span class="label label-primary">Optional</span> | Space-delimited list of locales used to constrain the language list for the request. The first locale on the list must match the enabled locale in your tenant  |
 
 ### Remarks
 
@@ -174,3 +175,22 @@ Logout behavior is determined by the configuration of the SAML2 Web App addon fo
 ### Learn More
 - [Logout](/logout)
 - [Log Users Out of SAML Identity Providers](https://auth0.com/docs/authenticate/login/logout/log-users-out-of-saml-idps)
+
+## Global Token Revocation
+<%= include('../../_includes/_http-method', {
+  "http_badge": "badge-primary",
+  "http_method": "POST",
+  "path": "/oauth/global-token-revocation/connection/YourConnectionName",
+  "link": "#logout"
+}) %>
+
+Use this endpoint with the [Okta Workforce Identity Cloud Universal Logout](https://developer.okta.com/docs/guides/oin-universal-logout-overview/) to log users out of your applications. To learn more, read [Universal Logout](https://auth0.com/docs/authenticate/login/logout/universal-logout).
+
+### Request Parameters
+| Parameter | Description |
+| :-- | :-- |
+| `subject` | `{ "format": "iss_sub",  "iss": "https://issuer.example.com/", "sub": "145234573" }` |
+
+### Remarks
+- A request to this endpoint revokes sessions cookies and refresh tokens, but not access tokens.
+- You must authenticate at the endpoint before revoking user sessions. Review [Endpoint Authentication](https://developer.okta.com/docs/guides/oin-universal-logout-overview/#endpoint-authentication).

articles/api/authentication/api-authz/_client-credential.md

@@ -64,6 +64,7 @@ This is the OAuth 2.0 grant that server processes use to access an API. Use this
 | `client_id` <br/><span class="label label-danger">Required</span> | Your application's Client ID. |
 | `client_secret` <br/><span class="label label-danger">Required</span> | Your application's Client Secret. |
 | `audience` <br/><span class="label label-danger">Required</span> | The unique identifier of the target API you want to access. |
+| `organization` <br/><span class="label label-primary">Optional</span>| The organization or identifier with which you want the request to be associated. To learn more, read [Machine-to-Machine Access for Organizations](https://auth0.com/docs/manage-users/organizations/organizations-for-m2m-applications)|
 
 ### Learn More
 

articles/quickstart/_includes/_auth0-react-classes-info.md

@@ -1,5 +1,5 @@
 <!-- markdownlint-disable MD041 -->
 
 :::note
-This guide focuses on using the `useAuth0()` custom React Hook. If you are using class components, check out [these samples using the `withAuth0()` higher-order component](https://github.com/auth0/auth0-react/blob/master/EXAMPLES.md#use-with-a-class-component).
+This guide focuses on using the `useAuth0()` custom React Hook. If you are using class components, check out <a href="https://github.com/auth0/auth0-react/blob/master/EXAMPLES.md#use-with-a-class-component" target="_blank" rel="noreferrer">these samples using the `withAuth0()` higher-order component</a>.
 :::

articles/quickstart/_includes/_auth0-react-install.md

@@ -8,4 +8,4 @@ Run the following command within your project directory to install the Auth0 Rea
 npm install @auth0/auth0-react
 ```
 
-The SDK exposes methods and variables that help you integrate Auth0 with your React application idiomatically using [React Hooks](https://reactjs.org/docs/hooks-overview.html) or [Higher-Order Components](https://reactjs.org/docs/higher-order-components.html).
+The SDK exposes methods and variables that help you integrate Auth0 with your React application idiomatically using <a href="https://reactjs.org/docs/hooks-overview.html" target="_blank" rel="noreferrer">React Hooks</a> or <a href="https://reactjs.org/docs/higher-order-components.html" target="_blank" rel="noreferrer">Higher-Order Components</a>.

articles/quickstart/_includes/_configure_auth0_interactive.md

@@ -6,7 +6,7 @@ To use Auth0 services, you’ll need to have an application set up in the Auth0
 
 Use the interactive selector to create a new Auth0 application or select an existing application that represents the project you want to integrate with. Every application in Auth0 is assigned an alphanumeric, unique client ID that your application code will use to call Auth0 APIs through the SDK.
 
-Any settings you configure using this quickstart will automatically update for your Application in the <a href="${manage_url}/#/">Dashboard</a>, which is where you can manage your Applications in the future.
+Any settings you configure using this quickstart will automatically update for your Application in the <a href="${manage_url}/#/" target="_blank" rel="noreferrer">Dashboard</a>, which is where you can manage your Applications in the future.
 
 If you would rather explore a complete configuration, you can view a sample application instead.
 

articles/quickstart/backend/_includes/_api_auth_preamble.md

@@ -3,4 +3,4 @@ This example demonstrates:
 
 * How to check for a JSON Web Token (JWT) in the `Authorization` header of an incoming HTTP request.
 
-* How to check if the token is valid, using the [JSON Web Key Set (JWKS)](/tokens/concepts/jwks) for your Auth0 account. To learn more about validating Access Tokens, see [Validate Access Tokens](/tokens/guides/validate-access-tokens).
+* How to check if the token is valid, using the <a href="/tokens/concepts/jwks" target="_blank" rel="noreferrer">JSON Web Key Set (JWKS)</a> for your Auth0 account. To learn more about validating Access Tokens, see <a href="/tokens/guides/validate-access-tokens" target="_blank" rel="noreferrer">Validate Access Tokens</a>.

articles/quickstart/backend/_includes/_api_create_new.md

@@ -2,7 +2,7 @@
 
 ### Create an API
 
-In the [APIs](${manage_url}/#/apis) section of the Auth0 dashboard, click **Create API**. Provide a name and an identifier for your API, for example, `https://quickstarts/api`. You will use the identifier as an `audience` later, when you are configuring the Access Token verification. Leave the **Signing Algorithm** as **RS256**.
+In the <a href="$manage_url/#/apis" target="_blank" rel="noreferrer">APIs</a> section of the Auth0 dashboard, click **Create API**. Provide a name and an identifier for your API, for example, `https://quickstarts/api`. You will use the identifier as an `audience` later, when you are configuring the Access Token verification. Leave the **Signing Algorithm** as **RS256**.
 
 ![Create API](/media/articles/server-apis/create-api.png)
 

articles/quickstart/backend/_includes/_api_create_new_2.md

@@ -1,5 +1,5 @@
 ## Create a Resource Server (API)
 
-In the [APIs](${manage_url}/#/apis) section of the Auth0 dashboard, click **Create API**. Provide a name and an identifier for your API, for example, `https://quickstarts/api`. You will use the identifier as an `audience` later, when you are configuring the Access Token verification. For **Signing Algorithm**, select **RS256**.
+In the <a href="$manage_url/#/apis" target="_blank" rel="noreferrer">APIs</a> section of the Auth0 dashboard, click **Create API**. Provide a name and an identifier for your API, for example, `https://quickstarts/api`. You will use the identifier as an `audience` later, when you are configuring the Access Token verification. For **Signing Algorithm**, select **RS256**.
 
 ![Create API](/media/articles/server-apis/create-api.png)

articles/quickstart/backend/_includes/_api_jwks_description.md

@@ -1,7 +1,7 @@
-By default, your API uses RS256 as the algorithm for signing tokens. Since RS256 uses a private/public keypair, it verifies the tokens against the public key for your Auth0 account. The public key is in the [JSON Web Key Set (JWKS)](/tokens/concepts/jwks) format, and can be accessed [here](https://${account.namespace}/.well-known/jwks.json).
+By default, your API uses RS256 as the algorithm for signing tokens. Since RS256 uses a private/public keypair, it verifies the tokens against the public key for your Auth0 account. The public key is in the <a href="/tokens/concepts/jwks" target="_blank" rel="noreferrer">JSON Web Key Set (JWKS)</a> format, and can be accessed <a href="https://$account.namespace/.well-known/jwks.json" target="_blank" rel="noreferrer">here</a>.
 
 <% if (typeof sampleLink == 'string') { %>
 ::: note
-We recommend using the default RS256 [signing algorithm](/tokens/concepts/signing-algorithms) for your API. If you need to use the HS256 algorithm, see the [HS256 integration sample](${sampleLink}).
+We recommend using the default RS256 <a href="/tokens/concepts/signing-algorithms" target="_blank" rel="noreferrer">signing algorithm</a> for your API. If you need to use the HS256 algorithm, see the <a href="$sampleLink" target="_blank" rel="noreferrer">HS256 integration sample</a>.
 :::
 <% } %>

articles/quickstart/backend/_includes/_api_jwks_description_no_link.md

@@ -1 +1 @@
-By default, your API will be set up to use RS256 as the algorithm for signing tokens. Since RS256 works by using a private/public keypair, tokens can be verified against the public key for your Auth0 account. This public key is accessible at [https://${account.namespace}/.well-known/jwks.json](https://${account.namespace}/.well-known/jwks.json).
+By default, your API will be set up to use RS256 as the algorithm for signing tokens. Since RS256 works by using a private/public keypair, tokens can be verified against the public key for your Auth0 account. This public key is accessible at <a href="https://$account.namespace/.well-known/jwks.json" target="_blank" rel="noreferrer">https://${account.namespace}/.well-known/jwks.json</a>.

articles/quickstart/backend/_includes/_api_scope_description.md

@@ -1,3 +1,3 @@
 So far, the API is only checking for whether the incoming request has valid authentication information. This solves the case of restricting endpoints such that only authenticated users can access them; however, it doesn't currently provide any way to check for **authorization**.
 
-Authorization can be added to your authentication flow by use of a **scope** claim in the Access Token which provides some indication of what that token allows access to. For more information on how to add scopes to an Access Token, see the [Scopes documentation](/scopes).
+Authorization can be added to your authentication flow by use of a **scope** claim in the Access Token which provides some indication of what that token allows access to. For more information on how to add scopes to an Access Token, see the <a href="/scopes" target="_blank" rel="noreferrer">Scopes documentation</a>.

articles/quickstart/backend/_includes/_api_scopes_access_resources.md

@@ -1,6 +1,6 @@
 Permissions let you define how resources can be accessed on behalf of the user with a given access token. For example, you might choose to grant read access to the `messages` resource if users have the manager access level, and a write access to that resource if they have the administrator access level.
 
-You can define allowed permissions in the **Permissions** view of the Auth0 Dashboard's [APIs](${manage_url}/#/apis) section.
+You can define allowed permissions in the **Permissions** view of the Auth0 Dashboard's <a href="$manage_url/#/apis" target="_blank" rel="noreferrer">APIs</a> section.
 
 ![Configure Permissions](/media/articles/server-apis/configure-permissions.png)