Feature: Provide a short title of your feature request/feedback.
Disable these insecure tenant defaults:
- Default
Username-Password-Authentication
database’s configuration that allows sign-ups. - Default Social Connection
Google/Gmail
that allows any gmail user to log into all tenant applications (new applications are automatically connected as well)
Description: Give us some details about your feedback/feature request. Examples, screenshots, videos, etc. are helpful.
The two tenant defaults listed above are insecure as they allow automatic access by default and must be manually deactivated before a tenant can be safely used. These defaults may be helpful for a test or POC Auth0 tenant but are a security hazard for anything more.
Perhaps the ability to quickly enable those settings for a test or POC Auth0 tenant would be good for many Auth0 customers but this is a dangerous default to apply to all tenants.
I configure Auth0 tenants via Terraform for consistency and convenience. I am currently unable to handle these insecure defaults via Terraform and need to manually go in and correct these insecure defaults. I have this step written in a playbook to avoid forgetting but this is an unfortunate “sharp corner” that can result in a major security incident if done wrong. To be clear, I do not think that allowing Terraform to easily deactivate these defaults is the best scenario. Insecure settings should be an opt-in, not an opt-out. I believe this is especially true for any software that sits in the “Security” space.
Use-case: Tell us what you are building. How would the feedback/feature improve your experience?
This change would prevent us from inadvertently exposing data to essentially unauthorized individuals.