Last Updated: Sep 27, 2024
Overview
This Article explains whether a customer should enforce TLS 1.2 when making requests to Auth0.
Applies To
- Transport Layer Security (TLS)
Solution
Requests to Auth0 can be broadly divided into three categories:
- Requests coming from applications running in backend servers: Apps like web servers or backend APIs that communicate with Auth0 directly (no browser involved).
- Requests coming from the user’s browsers, such as:
- Any web application that redirects the user to Auth0’s /authorize endpoint for things like authentication and MFA prompts.
- Native (mobile/desktop) apps that open a system browser so that the user can authenticate.
- Javascript code that talks to Auth0 directly (embedded login, token requests, obtain user information, and so on).
- Requests coming from users’s devices: Requests initiated from native applications, running on phones, tables, or desktop computers.
Usually, it is not possible to control the user’s browser or devices. Fortunately, all modern browsers support TLS 1.2 by default (check this quick summary, or this Wikipedia page for a detailed rundown). The same is true for Android (See Default configuration for different Android versions) and iOS (TLS 1.2 supported since iOS 5).
The area to focus most (and where a developer has control) is the first category: requests coming from applications running in backend servers. On this category, ensure that each application talks to Auth0 using TLS 1.2 or greater. The way to achieve it depends on the technology used, but it’s usually settings at the OS level (updating openSSL) or at the application level.
For example: