Auth0 - Identity and Authentication services

Owned by Andrew Watkins
Last updated: 22-01-2020
3 min read

Title

Auth0 - Identity and Authentication services

Use

User registration, sign-in, social and enterprise single sign-on. Password reset and permissions management

Owner

https://voluntarily.atlassian.net/wiki/spaces/VP/pages/106987604 - Admin and monitoring

https://voluntarily.atlassian.net/wiki/spaces/VP/pages/110559254- Enterprise integration and configuration

Location

https://auth0.com/

https://manage.auth0.com/dashboard/au/voluntarily/

Cost

Free for open-source licenced platform.

Billing

see https://support.auth0.com/reports/quota

Usage

https://support.auth0.com/reports/usage

Access Control

Auth0 Allows an organisational account to have multiple tenants (one for each service). We currently run a single tenant - Voluntarily.

Auth0 then allows multiple people to be added as admins for the tenant.

 

Current admins (Jan 2020) are

  • Andrew Watkins (as Ops Manager),

  • James Goodman TEC (As TEC Integration developer, to allow integration of Auth0 with ESL )

 

Admin Permissions Process

To be given admin rights you must:

  • Be a technical employee of Voluntarily or Integration partner

  • or be a trusted and experienced, long term contributor we have met in person.

To allocate a new admin an existing admin must add an Invite to the new admin.

Revoking Permissions

Revoke access here https://manage.auth0.com/dashboard/au/voluntarily/tenant/admins .

Access will be revoked for a person:

  • No longer meeting the above requirements.

  • Not requiring access a change to the service for more than 12 months.

  • Any action causing malicious harm to the project/codebase.

  • Any action breaking the code of conduct towards others.

  • Any illegal activity

Auditing Permissions and Changes

All changes are listed in the tenant logs. These should be reviewed quarterly.

Asset protection and disaster recovery

Risk of losing access to the service

We would lose access to the service under the following circumstances

  1. failure of Auth0 or withdrawal of the service

  2. loss of Open Source status and/or failure to pay service charges

  3. a malicious person gaining admin access as admin, removing other admins and disabling the tenancy.

Impact of losing access to service

If the service is lost then existing users would not be able to sign-in and use the service, access their accounts (including Voluntarily admins). We would have to:

  • identify an alternative fallback authentication service - e.g Okta or built in library

  • update the platform to use the new service apis

  • migrate the user accounts.

  • contact and request all users to reset their passwords (if database accounts).

  • Social and Enterprise sign in would not require password reset.

This could result in a 2-week outage.

Backup Process

Currently None.

In theory, we can use the Management API to extract a copy of our configuration.

Support - Managing User Identities

UI to help administrators manage user identities including password resets, creating and provisioning, blocking and deleting users.

https://manage.auth0.com/dashboard/au/voluntarily/users

Monitoring

Service Status

https://status.auth0.com/?region=AU&environment=Production&type=minor

The Logs facility gives admin access to all sign-in and config changes

https://manage.auth0.com/dashboard/au/voluntarily/logs

 

Open Source Subscription