My company uses auth0 for customer authentication. That has been the main use case so far. Recently though, they started talking about using Auth0 as a service provider for internal users. INternal users authentciation to azure AD but need a JWT token to access some internal endpoints. The Devs are thinking of using Auth0 as a service provider to obtain this token.
Historically, we have always tried to separate customers authentication and internal users auth or auth functions. but this is getting blurred now. Concerns raised are from Security on how the 2 should be separate. Just keen to hear what you thoughts are on this? Does this pose a security concern when Auth0 is used for customer authentication but also a service provider for internal users as described above?
Welcome to the Community!
We use this model ourselves where some employees need to access Auth0 protected apps. We have our G Suite environment connected to Auth0, and we leverage Google Groups for access control. If you only enable the AD connection for apps where employees should log in (a vice verse for customers), there should be no security concerns.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.