I’m writing because I’ve seen that after logging in, there’s a POST request sent to Auth0 named “https-my-tenant-auth0-com/login?state=…” which payload has “state” with an encrypted value and “Form Data” with the credentials typed in the login form for value, as plain text. Anyone can see them with the browser’s devTools…
I’ve made my research and can’t get info nor solutions to this. My grant-types are only auth_code and refresh_token, and I’m using an HTTPS certificate.
¿Is this normal? If not, ¿how can I solve it? I think is a huge security issue.
PD: I selected “new-universal-login-experience” because I had to choose a second tag, but I only see “Universal Login” and “Classic Login” options in my dashboard.
You should not be concerned about the fact that the credentials are visible in plain text since it is a browser’s developer tools functionality.
Basically, the browsers shows you the process of sending a standard HTML request using form submission which is available in the payload description inside the Network tab. These credentials are being send from your browser to Auth0 using the HTTPS protocol. The security of this process relies on the protocol used for transmission of these details (HTTPS/TLS).
If you were viewing the developer tools when using an application that was using HTTPS, then this would be considered a security vulnerability, but because your connection is HTTPS, the transmission is secure.
In conclusion, no further action is required as long as your Universal Login is being served over HTTPS.
Last question regarding this matter: when u say “If you were viewing the developer tools when using an application that was using HTTPS, then this would be considered a security vulnerability” did you mean that or did you mean “if you were using an app that was NOT using HTTPS…” ?