Is it secure? Using rule context to add external service access token

Hey folks, I need to attach to my user’s info/context an extra connection token to access an external service, in this case, FaunaDB. So, I think Auth0 rules are great for this purpose but I don’t know how safely it is. Here is a code sample on how I’m thinking to do that:

async function (user, context, callback) {
  try {
    const token = await createFaunaDBToken()

    context.idToken['https://db.fauna.com/secret'] = token.secret;

    callback(null, user, context);
  } catch(error) {
    callback(error, user, context);
  }
}

Is this safe? If it is not, how should I do to attach a token to the user?

Thanks!

1 Like

Short answer: I don’t know. This sounds fairly complex from a security perspective, so I cannot comment.

But I did notice you are putting the extra token in the ID token. I think that should be in the access token. But again, I cannot comment on the security of this - it really needs a security review

John

1 Like

Do you know what are the diffs between use ID Tokens or Access Tokens from a rule? Do you know someone can help us to solve that questions?

HI @BrunoQuaresma,

can you give a bit more information about your setup. What OAuth2 flow are you using, what type of application is it on your end? A SPA (Single Page Application) without backend, or a backend with it? Stateless or stateful client?

to access an external service, in this case, FaunaDB

Also, from where would this connection be established from? Your frontend or your backend?

General difference between ID and Access Tokens: https://auth0.com/docs/tokens
The way they’re accessed in a Rule though and how custom claims get access is the same.

1 Like

Hey Mathias,

Currently I’m not using a specific OAuth flow. I just have a SPA(a react app) that connects directly to the FaunaDB(FaunaDB has their own authN and authZ system). Initially, I would like to use Auth0 to sign up/in my users using the email/password provider and after, add other providers like Facebook, Google, etc.

What I’m trying to do is sync the user base on Auth0 with the one in FaunaDB. So I can generate faunadb tokens for these users. What I currently have is:

  • A hook for the sign up to save the users on faunadb as well.
  • A rule to attach the faunadb token(this token can be used to query the user data in the database.) related to that user on the sign in context .

My main question is on the last one. I would like to check if passing this info on context is secure enough for this scenario.

Thanks!

@mathiasconradt thoughts?