Auth0 (Okta Customer Identity Cloud)
Status: Scaffold — content in progress
Auth0 is a developer-focused Customer Identity and Access Management (CIAM) platform acquired by Okta in 2021. It powers authentication for customer-facing applications using OAuth 2.0, OIDC, and SAML.
Key Concepts
| Concept | Description |
|---|
| Tenant | Isolated Auth0 instance |
| Application | OAuth2/OIDC client registered in Auth0 |
| Connection | Identity source (database, social, enterprise SAML/OIDC) |
| Action / Rule | Custom code injected into the auth pipeline |
| Machine-to-Machine (M2M) | Client credentials flow for service-to-service auth |
Attack Surface
| Attack | Description |
|---|
| Management API key theft | Long-lived API key for tenant admin operations |
| Malicious Rule/Action | If attacker can write Auth0 Actions, they execute in every auth flow |
| Client secret theft | M2M app credential → API access as service |
| Weak database connection passwords | User-managed passwords stored in Auth0 database |
| SSRF via custom domains | Auth0 Universal Login on attacker-controlled custom domain |
Cross-Links