In a world where hackers are trying to brute force user accounts (23andMe breach 2023), it is vital for developers to maintain a long-lasting and tamper-proof audit log of all authentication events to keep their apps secure.
While many companies use Auth0 as an authentication provider, its log data retention periods ONLY range from 1-30 days depending on the Auth0 subscription level. Although this span may seem useful for application debugging, it’s not optimal for meeting compliance requirements due to such short retention periods.
Thus, adding log streaming with Pangea allows you to keep your Auth0 authentication setup while using Pangea to retain logs for up to 10 years! The best part is that everything can be configured directly in the Auth0 dashboard without any changes to your code base.
What are the Advantages of a Tamperproof Audit Log?
If you’re just interested in implementing audit log streaming for Auth0, you can skip ahead to the next section. No offense taken 😉
- Identify Risk of Exposure
A robust tamperproof audit log can help quickly assess the risk of exposure after a data breach since you have logs of all user events and critical user actions that occurred in our app.
- Tamperproof logs
Since message hashes of Pangea Audit Logs have been designed to be stored in a cryptographically secure hash-tree called “Merkle Trees”, the logs are tamperproof and cryptographically verifiable. Thus Pangea Audit Logs can neither be changed nor destroyed once created.
- Asynchronous Logging
Since Pangea Audit Logs can be implemented asynchronously with our authentication system and APIs, it doesn’t affect the performance of our web apps.
TLDR; How do I build it in?
In this tutorial, I will demonstrate how easy it is to add Pangea’s tamperproof audit log API to your Auth0 authentication setup in just a few clicks. No changes to your codebase are needed 😅
Step 1: Create an account on pangea.cloud
Head over to pangea.cloud and create an account for free. Then in the developer console, enable the “Secure Audit Log” service and select the Auth-vX.X.X Log Streaming for the schema template.
Step 2: Create an event stream in Auth0 Dashboard
In your Auth0 dashboard, go to Monitoring >> Streams
and click Create Stream
. Under the event stream options, select Custom Webhook
Step 3: Copy your Pangea credentials to setup the webhook
In the Custom Webhook
setup window, you’ll be asked to input the following:
Payload URL - Enter the URL for your Pangea project log-streaming endpoint. You can find it here.
Authorization Token - Enter the Authorization header value to access your Secure Audit Log configuration. This would be
Bearer <insert_pangea_token>
Content Type - Leave it as
application/json
.Content Format - Select
JSON Object
.
Then you can hit Save! Now, if you head over to the Health
tab under the newly created webhook, you should see a success message saying your webhook is Active
.
Here’s a quick video on configuring your webhook with Pangea credentials:
Finally, heading over to my react app pre-configured with my Auth0 credentials, let’s log in and log out. To check that our audit logs are being streamed let us head over to the Pangea Console under Audit Log >> View Logs
. In here, we should see new logs populated from our app streamed straight from Auth0.
Let's test it out!