I’m adding support for user self-administration via our existing API. I’m not too worried about a user updating their username or email (even email is shaky), but I’m unclear to how to safely allow a user to change their password or delete their account. Yes, they need a valid API token, but that’s not hard for a hacker to acquire, and then all you need is a valid Auth0 user ID. Is there a way to require their password as well, for such operations?
Scenario is: user wants to change their email, username, password, or delete their account in a mobile app. Mobile app asks our API to do the work, API uses machine-machine token to Auth0 Management API to oblige.
Any advice for securely providing access to Management functions via a machine-to-machine client API? Thanks!
Why do you say a valid API token is not hard for a hacker to acquire? That sounds like a problem to me. You should protect your M2M credentials just like regular credentials.
For changing user info, the user should be authorized, perhaps even step-up auth (reentering password or MFA), and the API should verify the user is authorized.
Thanks for the response. I was being stupid – of course I can simply have the API check that the sub in the token matches the user we want to administer, and then we can securely say any valid user can manage only their own account.
Step-up auth would be a nice additional step, thank you!