Auth0 Home Blog Docs

Security concerns for cross-origin authentication with a domain you don't control

#1

I’m currently evaluating a proposal from a client who would like me to whitelist a domain that they control for cross-origin authentication so that they can allow users to generate JSON web tokens on their domain without having to go through the canonical domain. My initial reaction is that it sounds dangerous to whitelist a domain that I don’t control, but I don’t have a very principled reason for that reaction. What are the potential security concerns for this setup? Are there ways that an attacker would be able to exploit it to compromise Auth0 user credentials?

#2

That’s definitely a bad idea. Cross-origin authentication should only be used from a domain you control, and third-party applications should only use redirection-based flows where the credentials are collected at your Auth0 domain.

As for the risks, basically there is nothing that would prevent your client to put script that spies what the users type. Even if you trust them, there could be a security vulnerability in the pages they serve that allow an attacker to inject a malicious script in the page.

#3

That’s what I was expecting. We’ll look into redirection-based flows instead. Thanks Nicolas!

2 Likes
closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.