Hi, we want to let our customers programatically sign to our app using their username/password. I figured out the http://auth0.com/oauth/grant-type/password-realm grant type is way to go. In order to fetch the tokens, one has to send request such as this one:
Is it dangerous to share client_secret to our customers? What harm can they do to us with the client secret? The client secret is not used for signing the ID/access tokens, right? (we use RS256 encryption) If we create a new application for each customer, would it be safe enough? (so they don’t share the secret) Is there a better way to allow our customers programatically log in using their username/password?
Even though Auth0 provides the ability to pass on username and password for authentication but it is def not recommended. This posses a security risk of logging creds. To pass on username/password your client needs to capture the creds first which means the app capturing the username/password could log credentials before passing it on to Auth0.
The recommendation here would be to use universal login flow (redirection). Your scenario looks like to be B2B. So your customers > users will use your app which will authenticate via Auth0. Is that the case ? If so, then you could use organizations.
The use case is this: we have a web application (SPA) which talks to our API (resource server). In this case, we use the standard universal login flow as you recommended. User is redirected to tenant.auth0.com, logs in and is redirected back to our web. This works fine.
But, some users actually want to write a CLI script that does something with our API. No browser involved, just some CLI script or CRON job that communicates with our resource server. Hence we want to let them fetch ID and access token from Auth0, which they can use when communicating with our API. Hence the password-realm example I posted above.
What is the best way to achieve this if not the password-realm?
Ok, to make things more complicated, I’ll describe the whole flow. In the SPA, we redirect the user to tenant.auth0.com, they log in and they are redirected back to our app. At this point, we take the auth0 ID token, we send it to “our authorization server” and based on user_id from the ID token we generate whole new access token signed by our secret. This access token is used to access our resource servers. Our resource servers do not accept any auth0 tokens. We use just the ID token for the authentication part. Both auth0 tokens are basically forgotten at this moment. That is why we need our users to be able to fetch ID token from auth0 so they can send it to “our authorization server” and exchange it for the final access token. We can use other flow but this would not require adding any functionality to our apps.
If we go back to the previous question: is it safe to share the client secret to our customers? Can they do something with it other than logging in via username/password? Something dangerous…?
If users are getting redirected back to your app why the customers need to have client secrets ? I am trying to understand how the customers will get users passwords to get token from password grant ? Are they capturing the username/password from their users ?
I am talking about the use case when CLI or CRON is involved. If we don’t use machine2machine flow but we use the password-realm instead, they have to send username, password and client secret (as I wrote in the first post here: What is the purpose of a client secret?)
So my question is: if we share the client secret to our customers, can they do any harm with it to us? I understand that the password-realm is not recommended but it seems it’s the only way unless we want to rewrite parts of our application (which we don’t want to for now).
In other words: we want to allow our users to get ID token via http://auth0.com/oauth/grant-type/password-realm using their username/password and I’m asking how dangerous is to share a client secret with them?
One final question: how can we make sure the application has no access to management API? What should we disable or what should we check to be absolutely sure?