Encrypt password with email/password login

yanis · April 9, 2020, 8:41am

Hello,

I am currently using Auth0 on my React app with email/password connection.
But as far as I can see, the password is send in plain text to Auth0 for the login.

Is there a possibility to encrypt it ?

Thanks in advance for your answer

konrad.sopala · April 9, 2020, 11:32am

Hey there Yanis!

It seems strange to be honest! Can you tell me what stack exactly do you use?

yanis · April 9, 2020, 2:49pm

I am currently using React.js with axios to make a request to auth0 login.

My request look like:


const ret = await Axios.post(`https://${config.authentication.domain}/oauth/token`, {
        realm: "Username-Password-Authentication",
        audience: config.authentication.audience,
        client_id: config.authentication.clientId,
        scope: "openid email name profile",
        grant_type: "http://auth0.com/oauth/grant-type/password-realm",
        username: values.email,
        password: values.password,
});

As you can see, my password is currently send without be encrypted right now.
But now, I want it encrypted when sent to be more secure. And when I tried to see if I can decrypt it on auth0 side, I didn’t find any way to do it.

se.ahmedelsayed · September 20, 2020, 8:27pm

Any related updates yet?

joseantonio.rey · September 20, 2020, 10:25pm

Hi all,

I believe this is a misconception. Traffic goes via HTTPS, which, as per its spec, encrypts Application Data between the client and the server. Nothing is sent in plaintexet.

Now, in the example that @yanis provided, the password is one of the values that they are providing to Axios so that it can send to the relevant endpoint. It has to be declared that way in the application because, otherwise, how would Axios know that’s the password it has to send to the server?

Here, the security lies on the fact that the communication is done directly between the client and the server with no middleman (such as a proxy, or a browser), and the client sends the information directly to the server via HTTPS, which requires encryption.

Let me know if this helps.

se.ahmedelsayed · September 25, 2020, 4:25pm

When using sniffer on the mobile device to captures the network traffic, it can capture the authentication data sent to auth0 (username and password). Is there any way to prevent this from happening?

joseantonio.rey · September 25, 2020, 4:27pm

What you are seeing there is the unencrypted network traffic, which is displayed because you are the source of the communications. This is displaying what you are sending for debugging/troubleshooting purposes.

I don’t think there’s a way to prevent this.

aahmedbahgatt · October 5, 2020, 6:45am

Hello

Thanks for your clarification that the password shall be encrypted through the wire.

However, in case there is a maleware / malicious software on client, it can read the clear text password before being encrypted.

Wonder if any resolution for this situation?

joseantonio.rey · November 19, 2020, 3:10am

Hello, @aahmedbahgatt,

I apologize - I just read your response.

This would be something that would be outside of our control, and is one of the risks of having a browser between the user and Auth0. This is something outside of our control.

jaykumar · August 3, 2023, 1:25pm

Is there any updates on this.