Application Credentials

Application Credentials

Confidential applications, unlike public applications, can securely store credentials. When confidential applications request access or ID tokens from the token endpoint, the application must authenticate with the authorization server. During this request for tokens, the application provides credentials known by the application.

To learn more about confidential applications versus public applications, read Confidential and Public Applications.

Application authentication methods

To get tokens from Auth0, your application must authenticate through the Authentication API. Auth0 supports the following ways your application can authenticate:

  • Client Secret: A symmetrical authentication method. In Client Secret authentication, you use the Client Secret Auth0 generated when you created the application.

  • Private Key JWT: An asymmetric authentication method. In Private Key JWT, you generate a pair of keys, public and private, to use as credentials. You provide the public key and securely store the private key in your own systems without sharing it with Auth0.

Client Secret authentication

Client Secret authentication is a symmetric authentication method included in the OAuth 2.0 specification. Client Secret authentication is the default authentication method in Auth0.

This authentication method is supported by all existing applications and tooling. The Client Secret is a high-entropy value generated by Auth0 when you create an application and is known by both your application and Auth0. Your application authenticates by including the Client Secret in the request to the authorization server.

Some security risks are associated with using Client Secret as a credential, especially for scenarios with higher security demands:

  • The secret used by the application is shared with Auth0.

  • The secret is sent over the network and could be intercepted in the case of man-in-the-middle attacks. 

An application can have a single Client Secret. It is not possible to rotate the secret while you update your implementation with the new secret. To learn more, read Rotate Client Secrets.

Private Key JWT authentication

Private Key JWT authentication is an asymmetric authentication method that relies on private and public key pairs. To learn more, read JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.

You can use the Auth0 Dashboard or Auth0 Management API to configure a tenant to use Private Key JWT. To learn more, read Configure Private Key JWT Authentication.

In Private Key JWT, a request to the authorization server consists of two main steps:

  1. Configure public and private keys:

    1. Generate a key pair (one public key and one private key).

    2. Register the private key with the application making the authentication request and register the public key with the identity provider (IdP).

  2. Build an assertions for requests to the authorization server:

    1. Create a new assertion with specified claims in JWT format and sign it with the private key. Include this assertion as part of the request to the IdP.

    2. IdP validates the assertion using the public key.

To configure Private Key JWT for Auth0, read Configure Private Key JWT Authentication. To learn more about building an assertion for Private Key JWT, read Authenticate with Private Key JWT.

There are some security benefits associated with using Private Key JWT:

  • The private key is not transmitted over the network and reduces the exposure risk of your application’s credentials. Identity providers like Auth0 have no knowledge of the private key, and only applications that have access to the private key can create authentication requests.

  • The signed assertions have a short expiry time, limiting the window of opportunity for replay attacks.

Key registration

You can register two public keys for an application at the same time. Auth0 handles verification against the proper key and allows you to rotate with no downtime. Once the old key has been removed or deactivated, all requests signed with the corresponding private key are invalidated.

Update application authentication method

You can update an application’s authentication method in the Auth0 Dashboard. To learn more, read Credential Settings.

Learn more

Was this article helpful?