Does anyone know if the Auth0 id’s from both email and social connects are “sensitive” currently we’re using them as our userId’s in our API’s and I’m worried that exposing these in the JSON (and in some places the HTML sources) would be bad practice.
I also would like to know the answer to this question. Specifically I mean the auth0|xxxx or google-oauth2|xxxx ids. My expectation is that these are not sensitive as they are more or less useless to anyone who doesn’t have an API key, but wanted to verify that.
I agree with you in that without credentials someone couldn’t do much (API actions), but I believe google-oauth2|xxxx IDs for example could be traced as it’s used across the board for login with Google services.
Thank you! Am I interpreting this correctly in that the risk would essentially be that someone’s accounts could be correlated across tenants? Would that be limited to auth0 clients or also other services that do not interact with auth0 but do use (for example) google oauth2?
No problem! the Auth0 database connection ID (auth0|xxxx) will be unique across tenants - If a user authenticates via a Google connection (google-oauth2|xxxx) then that ID could potentially be traced to other services. I’m doing some research on my end just to be sure
Adding some color here - When a user utilizes a Google Connection to perform authentication via the Google upstream IdP - a redirect occurs to Google and upon successful authentication it (Google) creates its own session. Just like CIC (Auth0). google-oauth2|xxxx is the identifier of the user in Auth0, referenced via the Auth0 established session; xxxx is the identifier of the user in Google, referenced via the session that Google establishes.
The OIDC solution for this is PPID (defined below) - I believe Apple is the only provider that implements this.
Pairwise Pseudonymous Identifier (PPID)
Identifier that identifies the Entity to a Relying Party that cannot be correlated with the Entity’s PPID at another Relying Party.