Feature: Trigger/Action for /bc-authorize or some way to limit users
Description:
Currently, when CIBA (Client Initiated Backchannel Authentication) flow is triggered, one client_id and client_secret credential can trigger a push notification and authentication request for any user in the Auth0 tenant (this is not connected to the enabled connections).
This seems a major vulnerability, because any client where CIBA is enabled can trigger push notifications and make access requests to any user in the entire Auth0 tenant (note that for identity providers the name is very guessable, e.g. google-apps|email).
I would say there’s 2 parts to it:
* Add some custom trigger (and related action) that can be executed and pre-reject/deny push notifications, based on body parameters, login hint, requested sub (optionally with information about the user (event.user… like), such as metadata), authorization details, ip, … . Additionally, allow to set some custom claims (perhaps through authorization details) for later post-login action and eventual token claims.
* Limit that only users related to the enabled connections can get notifications through that client.
Use-case:
I am using CIBA in virtual desktop environments to more easily authenticate users with strict Data Loss Prevention controls in place. However, due to the way the Virtual Desktop works I would have to expose the client credentials within it. To limit exploitation of the client credentials, I would like to add some additional authentication layer, token bound to a session and IP allowlisting or at the very least limit which users would be susceptible.