Safe to share JWK URL with multiple clients?

Help
,
1

Hello,

I would like to know if it is safe to allow multiple clients to use and have access to the same jwk_url.

Context:
My company is creating something which requires deploying several Hasura instances. One of these is the our “Core” Hasura instance, and the rest are different “Client” Hasura instances for the several projects of different organizations. These client instances can be managed/hosted by our clients too (which means they can see the deployments’ env vars/secrets, because they may own it).

We’re currently using the built-in HASURA_GRAPHQL_JWT_SECRET env var when deploying all the Hasura instances, as per this official Auth0 + Hasura JWT auth documentation: Auth0 | Hasura Authentication Tutorial.
The values for this env var have the format {"jwk_url":" https://TENANT-ID.REGION.auth0.com/.well-known/jwks.json ","type":"RS256"}.

Ideally, we would have a single Auth0 Tenant that handles all Client Hasura instances, however we are concerned that this would not be secure, because every Client Admin would have access to this single, shared value.

Currently, we’re manually creating a new Tenant for each Client Hasura deployment, because we were concerned that using this env var (link) value across different projects/organizations was safe security wise.

If this is, in fact, unsafe, is there a way that we could authenticate several unrelated organization projects (Client Hasura instances, in our case) without having to create new tenants for each?

2

Hi Scott :slight_smile:

The jwks endpoint associated with an Auth0 Tenant - see here for further details - is a publicly accessible resource that typically requires no specific authorisation. As such it is generally accessible by any one and, as the aforementioned documentation describes, it defines the set of public keys for validating tokens signed using the RS256 algorithm. Sharing this endpoint will typically have no consequences from a security perspective; by implication it’s publicly accessible by anyone whether explicitly shared or not. However consumers should always act responsibly and strive to cache the information returned rather than constantly accessing the endpoint in an indiscriminate manner. For implementations that utilise Auth0 SDK(s), jwks endpoint caching is typically handled automatically.

Hope this helps.

2 Likes
3

Hey Peter,
Thanks for the prompt reply! My understanding of your response is that this URL is expected to be public and therefore it’s not a security risk to allow various individuals to know it. This is super helpful for us, appreciate it!

2 Likes
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.