Introducing CheckMate for Auth0: A New Auth0 Security Tool

Auth0 is excited to announce the availability of CheckMate for Auth0, a new self-service tool designed to empower developers and security personnel to proactively assess and strengthen the security posture of your Auth0 tenant environment. CheckMate for Auth0 is an open-source project and available free of charge under the Apache License 2.0.

This powerful tool simplifies and streamlines the often complex process of configuration reviews, providing actionable insights to developers and security teams.

CheckMate for Auth0 helps you gain a comprehensive understanding of your security standing and identify potential vulnerabilities or misconfigurations before they can be exploited.

What is CheckMate for Auth0 checking for?

CheckMate for Auth0 is a command-line tool that analyzes your Auth0 tenant's configuration against a set of security best practices. It provides a clear overview of your security posture and flags potential issues, such as misconfigured applications, insufficient password policies, inadequate MFA settings, and the potential use of vulnerable NPM modules in Auth0 Actions code by looking up entries in GitHub’s Advisory Database. This tool is designed to be versatile and beneficial for various roles within your organization:

• App developers: Help ensure that your Auth0 tenant configurations align with security best practices throughout the development lifecycle, and help identify the introduction of vulnerabilities and confirm correct implementation of security policies in your applications.
• Security teams: Conduct efficient security reviews of your Auth0 applications, quickly identifying areas that require remediation.

Key features of CheckMate for Auth0

CheckMate for Auth0 will evaluate the tenant configuration based on the following set of supported validators:

• Custom Domains
• Applications
  
  • Allowed Callback URL
  • Application Login URL
  • Allowed Logout URL
  • Allowed Web Origins
  • Grant Types
  • JWT Signing Algorithm
  • Cross Origin Authentication
• Databases
  
  • Password Policy
  • Password History
  • Password Complexity
  • Password With Personal Info
  • Authentication Methods (Have you enabled passkeys?)
  • External User Store
  • Promoted Domain Level Database Connection
• Multi-factor Authentication (MFA)
  
  • Enabled Factors
  • Multifactor Policy
• Email Provider and Templates
  
  • Email Provider
  • Email Templates
• Log Streams
• Attack Protection
  
  • Bot Detection
  • Brute Force Protection
  • Suspicious IP Throttling
  • Breached Password Detection
• Tenant Settings
  
  • Allowed Callback URL
  • Default Login URL
  • Support Email
  • Support URL
  • Default Directory
  • Default Audience
  • Extensibility Run Time
  • Dynamic Client Registration
• Extensibility Run Time
  
  • Extensibility and Runtime
  • Auth Pipeline (Legacy Tenants Only)
    
    • Rules
    • Hooks
  • Actions
  • NPM Dependencies
  • Actions Runtime
  • Hardcoded Artifacts
• Auth0 Domain Check
• Tenant Access Control List(Early Access)
• Event Streams(Early Access)

The tool will systematically check each of these areas, enabling compliance with best practices and highlighting any deviations that may compromise the security and functionality of the Auth0 tenant.

The tool will skip the validator if the tenant is not entitled for the feature or the response from Auth0 results in a 4XX error due to insufficient scope or other errors.

Install and setup of CheckMate for Auth0

Our self-service deployment model is optimized to help ensure the best security outcome for customers. CheckMate for Auth0 is deployed using npm as a simple command-line application.

To run the tool, simply:

1. Download the npm package.
2. Run the tool locally via the command line.
3. Provide the domain name for your Auth0 tenant.

Finally, enter the Client ID and Client Secret of a distinct application authorized for CheckMate to call the Management API with the following required scopes:

read:tenant_settings
read:custom_domains
read:prompts
read:clients
read:connections
read:connections_options
read:resource_servers
read:client_grants
read:roles
read:branding
read:email_provider
read:email_templates
read:phone_providers
read:phone_templates
read:shields
read:attack_protection
read:self_service_profiles
read:guardian_factors
read:mfa_policies
read:actions
read:log_streams
read:logs
read:network_acls
read:event_streams

Once the client is successfully authenticated and the assessors are run, CheckMate for Auth0 then produces a downloadable PDF document summarizing its findings and saves it to a local directory. For detailed installation instructions check out the GitHub repo.

The power of stateless operation

CheckMate for Auth0 is designed to be stateless. This crucial design choice means that the analyzer does not store any of your tenant data when you run the tool. It simply fetches configuration information from your Auth0 tenant via the Management API, performs its analysis locally on your machine, and generates a report. Once the process is complete, no sensitive data persists on the machine that ran CheckMate for Auth0 or our infrastructure. This stateless nature helps ensure higher levels of privacy and security for your Auth0 tenant information.

Take action: Secure your Auth0 tenant today

Given the prevalence of identity-based attacks, it’s more critical than ever to secure the identity infrastructure that sits behind your applications.

By proactively identifying and addressing potential misconfigurations, CheckMate for Auth0 can significantly enhance your security posture and prioritize the mitigation of risks before they turn into critical issues. CheckMate for Auth0 is available as an NPM package and on GitHub. We encourage the community to contribute by opening a GitHub Issue. Even better, you can submit improvements via a pull request to share your expertise and help everyone become more resilient.