Auth0 Keys

ID

auth0_keys

Severity

critical

Vendor

Auth0

Family

API Token

Description

Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. It allows users to sign up to only one application and be authenticated on multiple (also called Single Sign-On).

For handling authentication in machine-to-machine (M2M) applications, you can create an application in Auth0. A set of M2M authentication methods can be used. The default one is a client ID/Secret pair, which is known as the Auth0 Key for the given application. With the Auth0 Key, an application can then obtain an OAuth2 access token using the /oauth/token endpoint.

There is also a similar legacy Global ClientID/Client Secret pair, which can only be renewed by Auth0 Support.

Security

Any hardcoded Auth0 Key is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Auth0 account.

Suspicious activity can be checked against the logs in the dashboard or through the Management API.

Examples

import { handleAuth } from '@auth0/nextjs-auth0';

AUTH0_CLIENT_ID='6ipOuOyYMG1qT8v1NwaGHP1DekgAmifI';
AUTH0_SECRET='_BTJzoFEvOeCGkVxRnxoqAJepBZEgzqYnOoJegLAkyZKFKizQzk8ccd4f898adee';
console.log('the AUTH0_SECRET env var is set: ', !!process.env.AUTH0_SECRET);

export default handleAuth();
...

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).

    To rotate the Auth0 application secret, follow the instructions in Rotate Client Secrets, either using the dashboard. Alternatively, use the Management API, which needs a Management API access token.

  2. Remove the hardcoded client ID and secret from the source code or committed configuration file. To replace the hard-coded id and secret with the new ones, use a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.

  3. (Optional) If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference