Hello,
I am currently using Auth0 on my React app with email/password connection.
But as far as I can see, the password is send in plain text to Auth0 for the login.
Is there a possibility to encrypt it ?
Thanks in advance for your answer
Hello,
I am currently using Auth0 on my React app with email/password connection.
But as far as I can see, the password is send in plain text to Auth0 for the login.
Is there a possibility to encrypt it ?
Thanks in advance for your answer
Hey there Yanis!
It seems strange to be honest! Can you tell me what stack exactly do you use?
I am currently using React.js with axios to make a request to auth0 login.
My request look like:
const ret = await Axios.post(`https://${config.authentication.domain}/oauth/token`, {
realm: "Username-Password-Authentication",
audience: config.authentication.audience,
client_id: config.authentication.clientId,
scope: "openid email name profile",
grant_type: "http://auth0.com/oauth/grant-type/password-realm",
username: values.email,
password: values.password,
});
As you can see, my password is currently send without be encrypted right now.
But now, I want it encrypted when sent to be more secure. And when I tried to see if I can decrypt it on auth0 side, I didn’t find any way to do it.
Any related updates yet?
Hi all,
I believe this is a misconception. Traffic goes via HTTPS, which, as per its spec, encrypts Application Data between the client and the server. Nothing is sent in plaintexet.
Now, in the example that @yanis provided, the password is one of the values that they are providing to Axios so that it can send to the relevant endpoint. It has to be declared that way in the application because, otherwise, how would Axios know that’s the password it has to send to the server?
Here, the security lies on the fact that the communication is done directly between the client and the server with no middleman (such as a proxy, or a browser), and the client sends the information directly to the server via HTTPS, which requires encryption.
Let me know if this helps.
When using sniffer on the mobile device to captures the network traffic, it can capture the authentication data sent to auth0 (username and password). Is there any way to prevent this from happening?
What you are seeing there is the unencrypted network traffic, which is displayed because you are the source of the communications. This is displaying what you are sending for debugging/troubleshooting purposes.
I don’t think there’s a way to prevent this.
Hello
Thanks for your clarification that the password shall be encrypted through the wire.
However, in case there is a maleware / malicious software on client, it can read the clear text password before being encrypted.
Wonder if any resolution for this situation?
Hello, @aahmedbahgatt,
I apologize - I just read your response.
This would be something that would be outside of our control, and is one of the risks of having a browser between the user and Auth0. This is something outside of our control.
Is there any updates on this.