Protecting the back end API that is being called from Auth0 rules/hooks


I am calling a back end API to populate the claims during the login, that will be added in the Auth0 access token.
Are there any standard ways to protect my back end API? (Certificate, Client credentials, IP protection etc.) - can’t see any documentation on this aspect - especially the configuration/script to be done in Auth0 tenant or the rule.
I do not prefer to leave the claims end point open.

Appreciate any inputs on this.

Thanks, Selva

You can use basic auth or an API key (really up to you / your API) and add it to the request in your rule. In face, you can implement anything that Node.js allowed, therefore it’s really up to that API to decide how to protect itself, and therefore isn’t documented in Auth0, as it’s out of scope.

You’d put the credentials as key/value pair into the Rules settings (Dashboard > Rules > Settings at the bottom of the page) and then reference them accordingly in the Rule.

1 Like

Hi @mathiasconradt
Thanks for your inputs. Basic authentication will not be approved. I can do with client credentials auth. by getting a token from Auth0. But then i need to maintain it in the cache and renew only when the token expires.
Does Auth0 support client certificate authentication as its only between the back end systems?
Can i upload a client certificate and use it when making calls to my back end?

Thanks, Selva

Hi @Selva,

Can i upload a client certificate

there isn’t a way to upload a file to Auth0, but I believe you should be able to put it into the key/value rules settings base64 encoded, than decode it in the rule and use it from there in the request (instead of reading it from a file system via ca: fs.readFileSync('ca-crt.pem') as usual). Haven’t tested it myself and not sure which Node function that would be out of my head.

1 Like