I am developing a WPF application. I use the Auth0 SDK to login to my tenant as follows:
var client = new Auth0Client(new Auth0ClientOptions { Domain = "DOMAIN.auth0.com", ClientId = "DoReMiFaSoLaTiDo", LoadProfile = true, Scope = "openid" });
As I am using string literals here, isn’t it possible for a hacker to use ILDASM to peek at my Domain name and ClientID. Doesn’t this pose a security risk? If so, is there a best practice on how to reduce this risk?
I’ll start by saying that I don’t have much experience developing on Windows. This is also more of a general security question for developing on Windows, no matter the application, and isn’t necessarily specific to Auth0. However, I’d be interested to hear what others have done to solve this. The article you linked does give some suggestions on what to look into, even though it doesn’t provide any examples: obfuscating your assembly, encrypting the strings, and considering using the SecureString class
Hello @TheLoneCoder,
Your Auth0 tenant domain name and the client ID are public information. You do not need to secure them. You do need to keep the client secret secure.
Great. Thanks! Markd, is there a book on ‘Security, Best Practices’ that you would recommend for WPF and Web API development?
I don’t have any books to recommend, though I would recommend the current OAuth and OIDC related best practices documents for security. I’ve linked some of them below:
And of course the actual specs:
These are perfect, thanks! I am following the first two links you provided already. Good to know I am on the right track!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.