Merge pull request #105 from auth0/resource-server-settings

Resource server settings

Author: yangwang-okta

analyzer/lib/resource_servers/checkAPISigningAlgorithm.js

@@ -0,0 +1,76 @@
+/*
+  {
+    "id": "xxxxxxxxxxxx",
+    "name": "test wrong alg",
+    "identifier": "test1",
+    "allow_offline_access": false,
+    "skip_consent_for_verifiable_first_party_clients": true,
+    "subject_type_authorization": {
+      "user": {
+        "policy": "require_client_grant"
+      },
+      "client": {
+        "policy": "require_client_grant"
+      }
+    },
+    "token_lifetime": 86400,
+    "token_lifetime_for_web": 7200,
+    "signing_alg": "HS256",
+    "signing_secret": "xxxxxxxxxxxxxxxxxx",
+    "token_dialect": "access_token"
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+function checkAPISigningAlgorithm(options) {
+  return executeCheck("checkAPISigningAlgorithm", (callback) => {
+    const { resourceServers } = options;
+    const reports = [];
+
+    if (_.isEmpty(resourceServers)) {
+      return callback(reports);
+    }
+
+    resourceServers.forEach((api) => {
+      // Skip the Auth0 Management API (system API)
+      if (api.is_system) {
+        return;
+      }
+
+      const report = [];
+      const apiDisplayName = api.identifier
+        ? `${api.name} (${api.identifier})`
+        : api.name;
+
+      if (api.signing_alg === "HS256") {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "using_symmetric_alg",
+          status: CONSTANTS.FAIL,
+          value: api.signing_alg,
+          identifier: api.identifier,
+        });
+      } else {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "using_asymmetric_alg",
+          status: CONSTANTS.SUCCESS,
+          value: api.signing_alg || "RS256",
+          identifier: api.identifier,
+        });
+      }
+
+      if (report.length > 0) {
+        reports.push({ name: apiDisplayName, report: report });
+      }
+    });
+
+    return callback(reports);
+  });
+}
+
+module.exports = checkAPISigningAlgorithm;

analyzer/lib/resource_servers/checkAPITokenLifetime.js

@@ -0,0 +1,111 @@
+/*
+  {
+    "id": "xxxxxxxxx",
+    "name": "Test long token",
+    "identifier": "test2",
+    "allow_offline_access": true,
+    "skip_consent_for_verifiable_first_party_clients": true,
+    "subject_type_authorization": {
+      "client": {
+        "policy": "require_client_grant"
+      },
+      "user": {
+        "policy": "allow_all"
+      }
+    },
+    "token_lifetime": 864000,
+    "token_lifetime_for_web": 7200,
+    "signing_alg": "RS256",
+    "signing_secret": "xxxxxxxxxxxxxx",
+    "enforce_policies": false,
+    "token_dialect": "access_token"
+  }
+*/
+const _ = require("lodash");
+const executeCheck = require("../executeCheck");
+const CONSTANTS = require("../constants");
+
+// Token lifetime thresholds (in seconds)
+const TOKEN_LIFETIME_DEFAULT = 86400; // 24 hours - Auth0 default
+const TOKEN_LIFETIME_WARNING = 604800; // 7 days
+
+function checkAPITokenLifetime(options) {
+  return executeCheck("checkAPITokenLifetime", (callback) => {
+    const { resourceServers } = options;
+    const reports = [];
+
+    if (_.isEmpty(resourceServers)) {
+      return callback(reports);
+    }
+
+    resourceServers.forEach((api) => {
+      // Skip the Auth0 Management API (system API)
+      if (api.is_system) {
+        return;
+      }
+
+      const report = [];
+      const apiDisplayName = api.identifier
+        ? `${api.name} (${api.identifier})`
+        : api.name;
+
+      const tokenLifetime = api.token_lifetime || TOKEN_LIFETIME_DEFAULT;
+
+      if (tokenLifetime >= TOKEN_LIFETIME_WARNING) {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "token_lifetime_too_long",
+          status: CONSTANTS.FAIL,
+          value: formatDuration(tokenLifetime),
+          identifier: api.identifier,
+        });
+      } else if (tokenLifetime > TOKEN_LIFETIME_DEFAULT) {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "token_lifetime_extended",
+          status: CONSTANTS.WARN,
+          value: formatDuration(tokenLifetime),
+          identifier: api.identifier,
+        });
+      } else {
+        report.push({
+          name: apiDisplayName,
+          api_name: api.name,
+          field: "token_lifetime_appropriate",
+          status: CONSTANTS.SUCCESS,
+          value: formatDuration(tokenLifetime),
+          identifier: api.identifier,
+        });
+      }
+
+      if (report.length > 0) {
+        reports.push({ name: apiDisplayName, report: report });
+      }
+    });
+
+    return callback(reports);
+  });
+}
+
+/**
+ * Format duration in seconds to human-readable string
+ * @param {number} seconds - Duration in seconds
+ * @returns {string} - Formatted duration (e.g., "24 hours", "7 days")
+ */
+function formatDuration(seconds) {
+  if (seconds >= 86400) {
+    const days = Math.floor(seconds / 86400);
+    return `${days} day${days > 1 ? "s" : ""} (${seconds} seconds)`;
+  } else if (seconds >= 3600) {
+    const hours = Math.floor(seconds / 3600);
+    return `${hours} hour${hours > 1 ? "s" : ""} (${seconds} seconds)`;
+  } else if (seconds >= 60) {
+    const minutes = Math.floor(seconds / 60);
+    return `${minutes} minute${minutes > 1 ? "s" : ""} (${seconds} seconds)`;
+  }
+  return `${seconds} seconds`;
+}
+
+module.exports = checkAPITokenLifetime;

analyzer/report.js

@@ -24,6 +24,7 @@ const {
   getLogs,
   getNetworkACL,
   getEventStreams,
+  getResourceServers,
 } = require("./tools/auth0");
 
 const logger = require("./lib/logger");
@@ -166,7 +167,12 @@ async function generateReport(locale, tenantConfig, config) {
         config.auth0MgmtToken
       );
 
+      tenantConfig.resourceServers = await getResourceServers(
+        config.auth0Domain,
+        config.auth0MgmtToken
+      );
     }
+    
     const statusOrder = ["green", "amber", "red"];
     let fullReport =
       (await runProductionChecks(tenantConfig, config.selectedValidators)) ||
@@ -407,6 +413,24 @@ async function generateReport(locale, tenantConfig, config) {
             cd.message = i18n.__(`${report.name}.${cd.field}`, cd.value);
           });
           break;
+        case "checkAPISigningAlgorithm":
+        case "checkAPITokenLifetime":
+          report.advisory = i18n.__(`${report.name}.advisory`);
+          grouped = _.groupBy(report.details, "name");
+          res = tranformReport(grouped);
+          res.forEach((api) => {
+            api.values.forEach((detail) => {
+              detail.report.forEach((c) => {
+                c.name = api.name;
+                c.message = i18n.__(
+                  `${report.name}.${c.field}`,
+                  c.api_name,
+                  c.value
+                );
+              });
+            });
+          });
+          break;
         default:
           report.details.forEach((cd) => {
             cd.message = i18n.__(`${report.name}.${cd.field}`, cd.value);

analyzer/tools/auth0.js

@@ -463,6 +463,20 @@ async function getEventStreams(domain, accessToken) {
     return [error.response.data];
   }
 }
+
+async function getResourceServers(domain, accessToken) {
+  const url = `https://${domain}/api/v2/resource-servers`;
+  const headers = { Authorization: `Bearer ${accessToken}` };
+  logger.log("info", `Getting resource servers (APIs)`);
+
+  try {
+    const response = await axios.get(url, { headers });
+    return response.data;
+  } catch (error) {
+    logger.log("error", `Failed to get resource servers ${error.message}`);
+    return [];
+  }
+}
 module.exports = {
   getAccessToken,
   getCustomDomains,
@@ -486,4 +500,5 @@ module.exports = {
   getLogs,
   getNetworkACL,
   getEventStreams,
+  getResourceServers,
 };

locales/en.json

@@ -155,6 +155,14 @@
 			"title": "Event Streams (Early Access Capability)",
 			"required_scope": "read:event_streamss",
 			"items": []
+		},
+		{
+			"title": "Resource Servers (APIs)",
+			"required_scope": "read:resource_servers",
+			"items": [
+				"Signing Algorithm",
+				"Token Lifetime"
+			]
 		}
 	],
 	"validator_summary": "Checked <b>%s</b> validators against tenant <b>%s</b> in total.",
@@ -1478,6 +1486,59 @@
 			"https://auth0.com/docs/customize/events/event-testing-observability-and-failure-recovery"
 		]
 	},
+	"checkAPISigningAlgorithm": {
+		"title": "Resource Servers (APIs) - Signing Algorithm",
+		"category": "Resource Servers (APIs)",
+		"description": "Validates that APIs use RS256 signing algorithm instead of HS256.",
+		"docsPath": [
+			"https://auth0.com/docs/get-started/apis/api-settings"
+		],
+		"severity": "Moderate",
+		"status": "yellow",
+		"severity_message": "%s API(s) using insecure signing algorithm",
+		"advisory": {
+			"issue": "Insecure Token Signing Algorithm",
+			"description": {
+				"what_it_is": "The signing algorithm determines how access tokens are cryptographically signed.",
+				"why_its_risky": [
+					"HS256 requires sharing the signing secret with your API, increasing the risk of secret exposure. Anyone with the HS256 secret can forge valid tokens."
+				]
+			},
+			"how_to_fix": [
+				"Use RS256 (asymmetric) signing algorithm for new APIs. It is recommended because the token will be signed with your tenant private key."
+			]
+		},
+		"using_symmetric_alg": "API \"%s\" is using HS256 signing algorithm. RS256 is recommended for better security.",
+		"using_asymmetric_alg": "API \"%s\" is using %s signing algorithm."
+	},
+	"checkAPITokenLifetime": {
+		"title": "Resource Servers (APIs) - Token Lifetime",
+		"category": "Resource Servers (APIs)",
+		"description": "Validates that API access token lifetimes are appropriately configured. Shorter lifetimes reduce the window of opportunity if tokens are compromised. Auth0 recommends that sensitive APIs use shorter token lifetimes.",
+		"docsPath": [
+			"https://auth0.com/docs/get-started/apis/api-settings"
+		],
+		"severity": "Info",
+		"status": "blue",
+		"severity_message": "%s API(s) have extended token lifetimes",
+		"advisory": {
+			"issue": "Extended Access Token Lifetime",
+			"description": {
+				"what_it_is": "Token lifetime determines how long an access token remains valid. Auth0's default is 24 hours (86400 seconds), with a maximum of 30 days.",
+				"why_its_risky": [
+					"Long-lived tokens increase the window of opportunity for attackers if tokens are compromised.",
+					"Auth0 recommends that sensitive APIs use shorter token lifetimes (e.g., a banking API should expire more quickly than a to-do API)."
+				]
+			},
+			"how_to_fix": [
+				"Review token lifetime settings for each API based on sensitivity.",
+				"Use shorter lifetimes (e.g., 1 hour) for sensitive APIs."
+			]
+		},
+		"token_lifetime_too_long": "API \"%s\" has an access token lifetime of %s. This exceeds the recommended maximum of 7 days. Consider reducing the lifetime for sensitive APIs.",
+		"token_lifetime_extended": "API \"%s\" has an access token lifetime of %s. This exceeds the default of 24 hours. Review if this is appropriate for your security requirements.",
+		"token_lifetime_appropriate": "API \"%s\" has an access token lifetime of %s."
+	},
 	"checkDPoP": {
 		"title": "Applications - Token Sender-Constraining",
 		"category": "Applications",

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth0/auth0-checkmate",
-  "version": "1.6.18",
+  "version": "1.7.0",
   "description": "A command line tool for checking configuration of your Auth0 tenant",
   "main": "analyzer/report.js",
   "scripts": {