-2

I have read this example:https://auth0.com/blog/securing-grpc-microservices-dotnet-core/

In this example it explains how to implement authorization in a gRPC service.

It says that the client request a token that let the client call the service. For that, it is needed to include in the json file the public and private data that it is possible to get this token.

{
  "Auth0": {
    "Domain": "YOUR_AUTH0_DOMAIN",
    "Audience": "YOUR_UNIQUE_IDENTIFIER",
    "ClientId": "YOUR_CLIENT_ID",
    "ClientSecret": "YOUR_CLIENT_SECRET"
  }
}

If I am not wrong, what this does is to configure my application to can request a token. But all the information needed for that is in in plain text. So, where is the security here, if someone could copy the application to anoher computer and run the application and get the token?

For that, I guess it is the same that if I create a self signed certificate and I add the CA.crt, client.crt and client.key in the application.

Perhaps I misunderstood some part, but if this is correct, that all the information needed to get the token is in the client and the process is this:

  • Client get token from Auth0.
  • Client use the token to call the serive.
  • The service authrizes the call because the token is valid.

Where is the security in this case?

Thanks.

Álvaro García
  • 425
  • 1
  • 9
  • There is absolutely nothing you can do to stop someone who's allowed to use your program from using it on a different computer. What is the problem exactly? If I buy your program and install it on my laptop and then move it to my phone, why is that a problem for you? – user253751 Mar 06 '23 at 14:21

1 Answers1

1

Where is the security in this case?

In how you:

  1. Keep appsettings.json secret and not accessible
  2. Keep appsettings.json away from SCM (source code repositories)
  3. Inject this file or the values of the properties in the runtime in a safe manner (encrypted, not traceable, etc)
  4. Encrypt the whole integration and only decrypt when the value is needed1

Auth0's quote is very clear about this

You are going to store the gRPC client credentials in the appsettings.json file. Be aware that you can do this just because the scenario of your system is a machine-to-machine scenario.

Remember: never store credentials in a publicly accessible client.

Security is often a shared model. Service providers guarantee security within their systems and, often, guarantee security during the transfer of the data they hold for you. But once in your system, you are totally responsible to keep things secure.

If you were implementing Auath0's example in a web app, you would be doing what they ask you to do not.

Then, the solution would be placing the integration with Auth0 on your server side where you must ensure (can you?) your own security policies.

Note that, even Auth0's machine-to-machine example is fairly naive from a security standpoint. But that's reasonable since the article is only about integrating Auth0 not about how to make your whole system secure.

1: Or keep it in memory in the right type (I always have to recall the Character[] vs string or that sort of practice to avoid others cathing values from dumps or profilers)

Laiv
  • 14,283
  • 1
  • 31
  • 69