In a world where hackers are trying to brute force user accounts (23andMe breach 2023), it is vital for developers to maintain a long-lasting and tamper-proof audit log of all authentication events to keep their apps secure.
While many companies use Auth0 as an authentication provider, its log data retention periods ONLY range from 1-30 days depending on the Auth0 subscription level. Although this span may seem useful for application debugging, it’s not optimal for meeting compliance requirements due to such short retention periods.
Thus, adding log streaming with Pangea allows you to keep your Auth0 authentication setup while using Pangea to retain logs for up to 10 years! The best part is that everything can be configured directly in the Auth0 dashboard without any changes to your code base.
If you’re just interested in implementing audit log streaming for Auth0, you can skip ahead to the next section. No offense taken 😉
A robust tamperproof audit log can help quickly assess the risk of exposure after a data breach since you have logs of all user events and critical user actions that occurred in our app.
Since message hashes of Pangea Audit Logs have been designed to be stored in a cryptographically secure hash-tree called “Merkle Trees”, the logs are tamperproof and cryptographically verifiable. Thus Pangea Audit Logs can neither be changed nor destroyed once created.
Since Pangea Audit Logs can be implemented asynchronously with our authentication system and APIs, it doesn’t affect the performance of our web apps.
In this tutorial, I will demonstrate how easy it is to add Pangea’s tamperproof audit log API to your Auth0 authentication setup in just a few clicks. No changes to your codebase are needed 😅
Head over to pangea.cloud and create an account for free. Then in the developer console, enable the “Secure Audit Log” service and select the Auth-vX.X.X Log Streaming for the schema template.
In your Auth0 dashboard, go to Monitoring >> Streams
and click Create Stream
. Under the event stream options, select Custom Webhook
In the Custom Webhook
setup window, you’ll be asked to input the following:
Payload URL - Enter the URL for your Pangea project log-streaming endpoint. You can find it here.
Authorization Token - Enter the Authorization header value to access your Secure Audit Log configuration. This would be Bearer <insert_pangea_token>
Content Type - Leave it as application/json
.
Content Format - Select JSON Object
.
Then you can hit Save! Now, if you head over to the Health
tab under the newly created webhook, you should see a success message saying your webhook is Active
.
Here’s a quick video on configuring your webhook with Pangea credentials:
Finally, heading over to my react app pre-configured with my Auth0 credentials, let’s log in and log out. To check that our audit logs are being streamed let us head over to the Pangea Console under Audit Log >> View Logs
. In here, we should see new logs populated from our app streamed straight from Auth0.
Let's test it out!
Use Cases
Case Studies
Services
Developers
636 Ramona St, Palo Alto, CA 94301
PrivacyTerms of UseYour Privacy ChoicesContact usPangea is a Sample Vendor for Composable Security APIs in the 2024 App Sec Hype Cycle™ report