Commons typos in Auth0 Setup

1. Audience mix up attack
2. Business critical information in user_metadata
3. Link to unverified emails
4. id_token as bearer token (this is not about privacy only)
5. weak token validation (RS256, nonce, state, c_hash, etc)
6. Confidential clients for public applications
7. Neglect API rate limits
8. Neglect application settings hygiene (grants, local callback urls, allowed connections, allowed origins, etc)
9. Neglect tenant housekeeping (mfa admin, tagging, security settings, legacy flags, dynamic registration, enable application/connection)
10. Lack of proper logout
11. Open to DDoS by calling management API in public API or login process (mostly due to custom HRD or mutable fields in metadata)
12. Naive user_id design (e.g. sequential) or unnecessarily mastering it
13. Open sign-ups for protected databases
14. Tokens transport in query parameters (opens the door for replay attacks)
15. Canonical domain name as issuer (open the door for WAF bypass)
16. Modelling single business as multiple audiences or put versioning in audience