Auth0 Keys
Description
General
- Documentation: https://auth0.com/docs/
- Summary: Auth0 is a SaaS solution that adds authentication and authorization services to software applications. It allows users to sign up to only one application and be authenticated on multiple (also called
Single Sign-On
). This detector searches for application credentials. These credentials could give access to users information, including personally identifiable information. - IPs allowlist: This feature is not currently available.
- Scopes: It is possible to configure specific scopes when creating the keys.
Revoke the secret
This can be done from Auth0 dashboard.
Check for suspicious activity
Auth0 provides access logs in the dashboard or through the Management API.
Details for Auth0 keys
-
Family: credentials
-
Category: identity_provider
-
Company: Auth0
-
High recall: False
-
Validity check available: True
-
Analyzer available: True
-
On-premise instances exist: True
-
Only valid secrets raise an alert: True
-
Minimum number of matches: 3
-
Occurrences found for one million commits: 9.62
-
Prefixed: False
-
PreValidators:
- type: FilenameBanlistPreValidator
banlist_extensions: []
banlist_filenames: []
check_binaries: false
include_default_banlist_extensions: true
ban_markup: false
- type: ContentWhitelistPreValidator
patterns:
- auth0
Examples
- text: |
i=STvPYZ1pCeJp2tyVdDDgm9DySu1VIPTc
s=_Foy7l7Z8DdZ09YfR95JJWaabWVFp5XAEDZbTlHqTDMtMXwlrnl21Z5ARqYJ3XSr
d=gg-test.auth0.com
domain: gg-test.auth0.com
client_id: STvPYZ1pCeJp2tyVdDDgm9DySu1VIPTc
client_secret: _Foy7l7Z8DdZ09YfR95JJWaabWVFp5XAEDZbTlHqTDMtMXwlrnl21Z5ARqYJ3XSr
- text: |
```
i=STvPYZ1pCeJp2tyVdDDgm9DySu1VIPTc
s=_Foy7l7Z8DdZ09YfR95JJWaabWVFp5XAEDZbTlHqTDMtMXwlrnl21Z5ARqYJ3XSr
d=gg-test.auth0.com
```
domain: gg-test.auth0.com
client_id: STvPYZ1pCeJp2tyVdDDgm9DySu1VIPTc
client_secret: _Foy7l7Z8DdZ09YfR95JJWaabWVFp5XAEDZbTlHqTDMtMXwlrnl21Z5ARqYJ3XSr
- text: |
i=STvPYZ1pCeJp2tyVdDDgm9DySu1VIPTc
s=_Foy7l7Z8DdZ09YfR95JJWaabWVFp5XAEDZbTlHqTDMtMXwlrnl21Z5ARqYJ3XSr
auth0_issuer_base_url=https://gg-test.com
domain: gg-test.com
client_id: STvPYZ1pCeJp2tyVdDDgm9DySu1VIPTc
client_secret: _Foy7l7Z8DdZ09YfR95JJWaabWVFp5XAEDZbTlHqTDMtMXwlrnl21Z5ARqYJ3XSr
Secret Analyzer
Analysis Method
- Provider allows scopes enumeration: False
- Total network call count: 2
- Total call count may vary: True
HTTP Calls
Requests are designed to capture metadata and not to function effectively.
- POST: /oauth/token
Other Calls
No other calls for this analyzer.