Management API /dbconnections/signup doesn't require ClientID

I’m testing out the Management API for user signup process and I’ve observed two disturbing issues about it. First, even if I don’t specify client_id parameter, it still works and a new user is created. This seems to be opposed to what’s stated in the docs (Authentication API Explorer), where client_id is marked as required. Is it the expected behaviour?

Secondly, I’m a bit worried about the fact that this API can be simply called by anyone in a bulk, as it’s not secured by any authentication. This means, that in theory anyone can spam our user DB (e.g. via curl). My question - do you block such suspicious bulk API requests, like by some throttling or other mechanisms?

Hi @mklosinski and welcome back to Auth0 Community!

I had a chance to confirm the behavior you mentioned and have brought it up internally as to why successful signups can occur without specifying client_id.

Here’s a link to our rate limit policy including the Authentication API which should provide some information on how we mitigate abuse of that API.

I’ll be in touch once I know a bit more concerning that endpoint.

Best,
Colin

Hi @colin.coutts,
Passing an empty client_id when posting to the dbconnections/signup endpoint is still creating users.
Any word on this?
Also, Is there any plan to put any authentication mechanism on this endpoint? eg ip whitelist, oauth, etc?

Steve

Hi @sandrews thanks for your question and welcome to the Auth0 Community :slightly_smiling_face:

I know this was getting discussed internally, and I’ve reached out to see what evaluations have been made concerning that behavior.

To my knowledge there are no plans on adding extra authentication to that endpoint, and for that reason enforcing a client_id on /signup wouldn’t add any further security. If you’re interested in restricting signup, we recommend protecting it some other way and to disable signups on the database connection, then write your own endpoint that can call the Management API.

I’ll let you know once I’ve received further updates regarding the client_id not being required however.

Best Regards,
Colin

I just touched base with the engineer I was working with on this, and the determination was that the client_id will not be required for user creation. This is because our users are bound to a connection and not an application, the client_id in the user entity is the global client_id for the tenant.

When you do provide the client_id there is a check performed to ensure it is enabled for the provided connection. It’s a common pattern used by customers to implement rule and application logic that changes the app behavior based on specific client_id 's.

The docs team has been made aware of this and it’s been added to their queue to remove the required next to the client_id.

Thanks,
Colin