Problem statement
For troubleshooting purposes, Auth0 Support may request an HTTP trace file (e.g., Chrome’s .HAR export, SAMLTracer, Fiddler, or ZAP outputs) to see the authentication flow. The HTTP trace will record all details of the requests and responses. This includes the data exchanged, the server response, and, if present in the authentication request, passwords, session tokens, cookies, and other confidential information. For security reasons, you must remove all Personal Identifiable Information (PII) and replace authentication details, such as API keys, secrets, cookie values, or passwords, with a placeholder value in the HTTP trace file before sending it to Auth0 Support.
When should I sanitize the HTTP Trace file?
Regardless of the product, exchange, or flow, you should always sanitize the HTTP trace files before sending them to Auth0 support. This applies universally to all Okta offerings, including any and all products and services.
What should be removed?
Any confidential information including, but not limited to, cookies, tokens, secrets, verification codes, ID Tokens, and any form of PII in compliance with laws and regulations.
Solution
How to remove PII and confidential information?
No matter which tool you use, HTTP Trace files are typically saved as plain text.
For HAR file and SAML Tracer file sanitization, please review this process How to Sanitize a HTTP Trace File Automatically.
For other HTTP trace files or if the upload to the Case fails use these steps to manually sanitize the HTTP trace:
- Open the file with a text editor
- Examine its contents thoroughly
- Replace all the values that contain PII or confidential information with “REDACTED”
For reference, you can use your text editor to search for the following keywords.
Please note that this list is not exhaustive, and there may be other pertinent terms to consider. Furthermore, a specific keyword or value might appear multiple times within the file, so ensure you review all instances.
Ensure your search is case-insensitive; for instance, ‘Authorization’ should match ‘authorization’, ‘AUTHORIZATION’, and any other variations in capitalization.
- state
- shdf
- usg
- password
- code
- code_verifier
- client_secret
- client_id
- token
- access_token
- refresh_token
- authenticity_token
- id_token
- appID
- challenge
- facetID
- assertion
- fcParams
- serverData
- Authorization
- auth
- Bearer
- key
- pem
- rsa
- dsa
- ecdsa
- signature
- passkey
NOTE:
If you choose to utilize open-source or commercial tools for HAR file sanitization, it is essential to exercise diligence in selecting all relevant secret types. It’s important to note that these tools can’t offer an absolute guarantee of complete sanitization of HAR files or any other HTTP trace files for Auth0 products.
Despite selecting all available secret types through the tool’s interface, it is possible for these tools to overlook sensitive information for various reasons, including but not limited to:
- Limitations in recognizing specific MIME types
- Focus on headers, and potentially missing sensitive data located within the request body.
- Potential omission due to keyword discrepancies.
How to Share a Manually Redacted HTTP Trace with Okta
- Use the Support Portal and upload the attachment to an existing Case or new Case.
- NOTE: Do not send emails with HTTP Traces attached, as this does not sanitize the trace.
Disclaimer: While Okta will attempt to identify sensitive data for you, you acknowledge that it is your responsibility, and not Okta’s, to identify sensitive data in HAR files that you want to be redacted.
Examples
Sanitizing a HAR file
After generating the .har file, open it in any text editor and examine the content thoroughly to find PII and confidential information (You can use the provided sample list of keywords as a guide).
For each value, replace it with “REDACTED". Examples of what common secrets look like have been provided below.
- Sample Password Content:
"headersSize": -1,
"bodySize": 842,
"postData": {
"mimeType": "application/json",
"text": "{\"client_id\":\"2EChpLzf19htxiCv1D6j1S9j5hVBU\",\"redirect_uri\":\"http://localhost:3000\",\"tenant\":\"my-tenant\",\"response_type\":\"code\",\"scope\":\"openid profile email\",\"connection\":\"Username-Password-Authentication\",\"username\":\"test.user@auth0.com\",\"password\":\"REDACTED",\"response_mode\":\"query\",\"audience\":\"https://my-api\",\"protocol\":\"oauth2\"}"
}
- Sample Cookie Content:
"cookies": [
{
"name": "auth0",
"value": "REDACTED",
"path": "/",
"domain": "my-tenant.us.auth0.com",
"expires": "2023-10-29T16:02:35.000Z",
"httpOnly": true,
"secure": true,
"sameSite": "None"
},
{
"name": "auth0_compat",
"value": "REDACTED",
"path": "/",
"domain": "my-tenant.us.auth0.com",
"expires": "2023-10-29T16:02:35.000Z",
"httpOnly": true,
"secure": true
}
],
- Sample Token Content:
"content": {
"size": 2094,
"mimeType": "application/json",
"text": "{\"access_token\":\"REDACTED",\"id_token\":\"REDACTED",\"scope\":\"openid profile email\",\"expires_in\":10000,\"token_type\":\"Bearer\"}"
},
"redirectURL": "",
"headersSize": -1,
"bodySize": -1,
"_transferSize": 2104,
"_error": null
....
}
Go through the HAR file once again to make sure everything is redacted properly. Submit the sanitized .har file (without secrets) to Okta Support.
Sanitizing SAMLTracer Output
After getting the SAML requests and responses from SAMLTracer, go through the entire exchange and redact all PII and confidential values.
In the example below, we have redacted key values from an assertion in the SAML response.
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="id304067580046759701759203951"
IssueInstant="2017-02-02T03:13:05.114Z"
Version="2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"""
>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>http://www.orgname.okta.com</saml2:Issuer>;;
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">;;
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#""" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256""" />
<ds:Reference URI="#id304067580046759701759203951">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature""" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">;;
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"""
PrefixList="xs"
/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256""" />
<ds:DigestValue>REDACTED</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>REDACTED</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDpDCCAoygAwIBAgIGAVVfq86GMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldnN1cHBvcnQxHDAaBgkqhkiG9w0BCQEW
DWluZm9Ab2t0YS5jb20wHhcNMTYwNjE3MTg0MTIyWhcNMjYwNjE3MTg0MjIyWjCBkjELMAkGA1UE
BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV
BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXZzdXBwb3J0MRwwGgYJ
KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qp10VJvKjqIEk30bv0WPw6XhZtTm19XfLrwyHRG1aYQshkcIolS9Vvp5SdL6dDEctdf5dznrQTlr
8Q+LUIC6JGnVzA/qgC1UpsXYdfaod0c35GM8HDsHni0MNUnHt/2MqDW6PkYoIdjniDp21wOCiORE
FGuC1kUQQJY2yQ8bQJVEKCEyIUPGXLMcQlbB0vAkbGeqz4HCZBX/n7wr/50MMQz8YOLSkx/0Ojls
sGEA6KAbdFutrvSUKIUeZc4XFfySm9KJ1Vi83PpacOfWuKyktjPR0mC6wK87PuN32boa4nQ2+BMf
v/qgx4e5RDnTYk2+iPcwN6nKxJfS66kKhpfMdwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA8R607
iL9Sx9QKo31zG2xG24drYxaWta6G5XKcROkFk2ZVfRAhS9rx1WFXuCV5e/ys0z7jILWKisTkjegY
uubqy6awBbjDRxnUct0OdZU4siHWYjvL+SYOT2Pk8IwlD4HGNsee6WmURvfpL2Yib9Xc85qVp1W9
t7GU2GZVnOyU7a/JfAgDw79z5dH1BQsCW+nvgeO5VgFXVOSf7dBOB2PlwG5DlH5MgNa67eH3Wr9B
RKvwyyTfqfq9pgSmB9xNVJIeVZbbZGTlNGqJti24E0AiIPggtxg5NJ+HHnEQ5RxdSsR4fbMz9i0K
/bXt6hPgGu7xYRSv1RfvKcR1NjYk3nnD</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_2b16caecb21804d0271c7b45734978a31b122c0b9a"
NotOnOrAfter="2017-02-02T03:18:05.114Z"
Recipient="http://localhost:8888/simplesamlphp/www/module.php/saml/sp/saml2-acs.php/example-okta-com"""
/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-02-02T03:08:05.114Z"
NotOnOrAfter="2017-02-02T03:18:05.114Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AudienceRestriction>
<saml2:Audience>http://localhost:8888/simplesamlphp/www/module.php/saml/sp/metadata.php/example-okta-com</saml2:Audience>;;
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2017-02-02T03:13:05.114Z"
SessionIndex="_2b16caecb21804d0271c7b45734978a31b122c0b9a"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="FirstName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"""
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"""
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="LastName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"""
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"""
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"""
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"""
xsi:type="xs:string"
>REDACTED</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>