Disable insecure tenant defaults

paul14 · August 14, 2023, 3:39pm

Feature: Provide a short title of your feature request/feedback.
Disable these insecure tenant defaults:

Default Username-Password-Authentication database’s configuration that allows sign-ups.
Default Social Connection Google/Gmail that allows any gmail user to log into all tenant applications (new applications are automatically connected as well)

Description: Give us some details about your feedback/feature request. Examples, screenshots, videos, etc. are helpful.
The two tenant defaults listed above are insecure as they allow automatic access by default and must be manually deactivated before a tenant can be safely used. These defaults may be helpful for a test or POC Auth0 tenant but are a security hazard for anything more.

Perhaps the ability to quickly enable those settings for a test or POC Auth0 tenant would be good for many Auth0 customers but this is a dangerous default to apply to all tenants.

I configure Auth0 tenants via Terraform for consistency and convenience. I am currently unable to handle these insecure defaults via Terraform and need to manually go in and correct these insecure defaults. I have this step written in a playbook to avoid forgetting but this is an unfortunate “sharp corner” that can result in a major security incident if done wrong. To be clear, I do not think that allowing Terraform to easily deactivate these defaults is the best scenario. Insecure settings should be an opt-in, not an opt-out. I believe this is especially true for any software that sits in the “Security” space.

Use-case: Tell us what you are building. How would the feedback/feature improve your experience?
This change would prevent us from inadvertently exposing data to essentially unauthorized individuals.

dan.woda · August 16, 2023, 1:21pm

Hi @paul14,

Welcome to the Auth0 Community!

Thanks for the thorough feedback request.

paul14 · August 16, 2023, 2:19pm

Thanks @dan.woda, what are your thoughts on the subject? Can you advise on what the steps to realize these changes would be?

dan.woda · August 16, 2023, 2:29pm

Feedback from the Community generally needs some critical mass (in the form of Votes, comments, etc.) for it to reach one of our product managers. If you have an enterprise account, I would also suggest providing the feedback to your account manager.

As far as my thoughts, I think it makes sense what you’re describing and is certainly valid feedback.

carl.adams · January 17, 2024, 11:55pm

I too think there are terrible defaults, and manage my tenants with terraform. I really want my default tenants empty, not configured with resource that I have to terraform import or delete.

j.krabs · January 18, 2024, 7:26am

I agree on that. I also had to delete these default connections in the past manually. As @paul14 described: opt-in would be the better solution that opt-out

dan.woda · January 19, 2024, 7:42pm

Thanks for the additional feedback all.

Topic		Replies	Views
Disable Username-Password-Authentication for an Auth0 application Help connections , regular-database-connections	5	2807	February 27, 2023
Use HashiCorp Terraform to Manage Your Auth0 Configuration Blog Discussions	38	8805	August 5, 2024
Using terraform to create auth0_connection Help auth0 , connections	3	3309	September 22, 2023
Passkey Terraform Config Help connections , regular-database-connections	6	642	December 26, 2023
Disable google-oauth2 in Terraform Help configuration , application	0	904	June 27, 2023

Disable insecure tenant defaults

Related topics