Given that Auth0 is signing JWT / tokens, can someone explain in layman’s terms why they don’t have the keys to the castle and access to create credentials to log into our app?
Other than the legalities, what in the technology keeps Auth0 honest?
bumping this up the priority list too
It’s theoretically possible for any Identity Provider that issues tokens to manually create such a token. The short answer is that Auth0 (and other similar providers) go through certifications intended to make sure that enough internal security controls are present to prevent that: https://auth0.com/security
If you log in to your Auth0 Support portal, you can download the compliance-related documents and reports at https://support.auth0.com/compliance
2 Likes