My company is using auth0 as part of our cloud environment, which a couple of our security sensitive end-customers are using. One of our customer’s security team has asked us a specific question about auth0 and I’m hoping someone from this community can help me answer it:
Here is their question:
”Can you have someone from auth0 confirm that it is just an OIDC/OAuth2 endpoint, and that it doesn’t accept/store arbitrary POSTs of data to it? To us it looks like it’s an OIDC/OAuth2 responder only, but we’re concerned that there could be other APIs under other paths that might result in data being stored on auth0 servers.”
Their goal is to confirm there’s no mechanism through which their proprietary data could possibly be written to / stored by Auth0 in any way. Can someone confirm this ?
This is a highly relevant question regarding customer security, please allow me to provide some clarifications that hopefully will help understand how Auth0 operates.
I can confirm that the primary Auth0 endpoints that customers interact with are OIDC/OAuth2 and SAML protocol endpoints, that are not designed to store or accept proprietary user data from the application’s end-users. Among the endpoints in question: /authorize, /token, /userinfo, and /v2/logout. The core purpose is to handle the Identity and Access Management requirements of our customers and not store sensitive data.
The protocol endpoints used are for authentication and authorization purposes and the data they process is limited to what is required in order to complete certain tasks:
User profile data ( these are identity attributes such as email address, name, connection to their identity provider etc.);
Tokens are are under the form of JWTs, opaque refresh tokens;
User credentials are hashed and secured.
While Auth0’s API Endpoints are used by via Machine to Machine connections and secured by tokens, they functionality is not to store any proprietary data.
The end-user data that is being processed as mentioned above is with the sole purpose of identity management, during the user’s signup and login processes. While Auth0 does offer the flexibility of storing user data in either the app_metadata ( which cannot be edited by users ) or user_metadata ( editable by users ), we strongly recommend against storing any sensitive data. I do recommend reading through our following documentation to Understand How Metadata Works in User Profiles.
Allow me to also share the following documentations for further details :
I hope the above information has been useful in clearing out some details for you and your customer, but please do not hesitate to reach out to us for any other issues or concerns. We will be happy to help!
Thanks so much Gerald - really appreciate the response. Is there a way to prevent the use of the user_metadata field or otherwise make it so it isn’t editable by end-users?
Happy I was able to provide some useful information!
Both the user_metadata and app_metadata fields are meant to be used as means to add information about the user, which can be done either by the application, an Admin, an Action Flow etc. These will not contain additional information about the users unless explicitly added. It is not possible to make the user_metadata field non editable by users, but if such a field is required, the app_metadata fulfils this need.
In addition, within the Auth0 dashboard under User Management → Users → click on any user and navigate to the Raw JSON tab, you will find user information such as their last login, authentications, creation date etc. These are only visible to tenant Admins or tenant members with a set of accesses that allows them to view this information, more details regarding tenant level roles can be found here: Dashboard Access by Role
