How is this secure?

I was surprised to find that users could sign up and immediately gain full access to the app, which effectively means that auth0 is offering zero security.
Is there a way to prevent a user that signs up from using the app until it is authorized by someone within the company, otherwise I don’t see the point of auth0

It’s not zero security. Just because you can immediately sign up to facebook, does not mean you get full access to facebook and read everyone’s private messages.

What a user can and cannot access in the app is entirely up to the application API that is verifying the access token. So the developers of your own API are responsible for this.

What you are probably looking for is scopes / permissions, and auth0 fully supports it. Which means that auth0 adds the appropriate permissions to the access token according to RBAC, and the API accepts or rejects a request depending on the existence of the relevant permissions in the token.

So in short, if you have a resource to protect, you put it under a scope / permission, and the user can only acces the resource after you assign them the relevant permission (using the auth0 dashboard or management API).

1 Like

ok, but I don’t use an api - just an application, it appears that scopes are only available with apis. Seems like quite an oversight - no security for single page applications
I guess I will have to add security to the app itself in which case, I really don’t see what value auth0 is adding, apart from email verification

1 Like

How exactly do you plan to use a single page application without an API?
I think your understanding of how web apps work is incomplete.

Please can you explain why API and Applications are separated, when you say API is a must for Application. Though I don’t mean to disagee, but I want to know the rationale and letting people create Application without API.

When you create an application in auth0, you are presented with 4 options (Native, SPA, Regular, M2M). The SPA is obviously “A JavaScript front-end app that uses an API”.

A single page application has no inherent security, and without a backing API it’s just a toy, not a useful application, so using auth0 would obviously be absurd.

I have an application that has a server side and a javascript gui, which talks to the server over a websocket. I chose a SPA because, it is an application that has a single page. I send the access token to the server which checks it via a rest call to auth0, The problem being that auth0 verifies it as a valid user, so that user then gains complete access even though they have just signed up without being verified by us.

Yes, I don’t disagree - auth0 have taken convoluted to the next level, if after using it for two years I still don’t understand it, I would say that they have an over complicated product lacking in clear documentation

I admit it took me a few months to fully understand auth0 concepts, but after that it’s a charm to use.

That’s where your problem lies. The server is the API, and it’s the server’s responsibility to validate the token and grant or not access to the user. Exactly as I explained here How is this secure? - #2 by dorin.clisu

If you are not the developer of the server/api, then there is NOTHING you can do. Because as I explained, it’s not the responsibility of a frontend developer, but the responsibility of backend developer and in your case they also probably need to do some more reading about auth0.

1 Like

My question is not answered

Its a shame that it takes months to understand. In just a few hours/days one can use spring security API

If there is proper documentation, then that is enough. so many links so much configuration…doing without understanding…names like AUth Pipeline…Extension…without a workflow is awful

I am not an Oauth2 expert to be able to give an authoritative answer why API is separate from Application. Most likely the reason is to prevent you from doing something stupid.

Security is hard and complex, so any solution that is too simple probably suffers from multiple known or unknown vulnerabilites.

It sounds like right now you are only using Auth0 for authentication but not authorization. You are giving every authenticated user full access to your app. You need to implement authorization in your app, Auth0 can’t do that for you. It can tell you who a user is and what they are allowed to do via the scopes they have but you need to look at what they are doing and see if it is in the list of scopes.

You could secure your server with scopes that are assigned to user groups and then add the user to the appropriate group after you verify them.

Yes, but Auth0 has nothing to do with this. When your app backend detects a “new user” (which you should be able to do) you limit access to the app. When someone validates that user, a flag or authentication level on the backend is set for that user . The next time that user uses the app, the app logic (permissions) allows that user to access those portions of the app the are allowed to access.

This is not an Auth0 problem. Auth0 doesn’t provide app security (permissions), it provides user authentication. Anything else is up to the app to provide.

Apologies, I was commenting based on my experience too. When I say Spring, we are building it, but the assumption is Auth0 is ready-made. If we have to learn the internals, its definitely difficult