Today we’re excited to announce our integration with Auth0 by Okta to enable simple, secure, and automated workload-to-workload access. We believe the combination of Auth0’s API-driven authentication approach and the Aembit Workload Identity and Access Management Platform can greatly streamline an organization’s security operations while making credential management for non-human identities much easier.
Auth0 is designed to relieve developers of the burden of customer identity and access management (IAM). By leveraging IAM-as-a-service, developers can offload tasks like user login, authorization, and customer management to Auth0, allowing them to focus on work that directly benefits customers instead of the technical plumbing needed to deliver their product.
At the same time, API developers often need to grant access to other parts of their organization or to customers who access applications via a workload (application or script). The typical model for providing API access has been to secure it through a client ID and secret – essentially another form of username and password.
Thankfully, Auth0 has also implemented the ability for developers to outsource this element of access as well. Auth0 refers to it as machine-to-machine access, while we call it workload-to-workload access. By leveraging a similar model to user authentication, developers can rely on Auth0 to front-end their API for workload-to-workload use cases.
Simplifying Life for the API Consumer with Aembit
Auth0 simplifies the life of the API provider, making it more secure. But what about the API consumer? Whether the API consumer is within your organization (such as an adjacent team running a different microservice or application) or external (a customer or business partner), their work remains the same, regardless of whether the API provider uses Auth0.
The API consumer’s work involves:
- Provisioning a client ID and client secret.
- Exchanging the client ID and client secret for an access token.
- Coding the use of the access token into their application.
- Securely managing the client ID, client secret, and access token within their own infrastructure.
In addition, managing these credentials poses significant risks to the organization:
- Are the credentials being secured properly?
- Are the credentials being reused for other applications?
- Are there new, emerging risks in the client application that should prompt restricted access?
This is where Aembit comes in. Aembit provides Workload Identity and Access Management (IAM), enforcing secure, automated access to APIs and services while relieving developers of the burden of authentication.
Since Aembit focuses on the client workload/API consumer and Auth0 focuses on the API provider, it’s easy to see why our technologies are a perfect match.
Using Aembit with Auth0
With Aembit, the developer of the client-side application no longer needs to manage credentials. After provisioning the account within the API of the target service, the developer (or the DevSecOps engineer responsible for managing workload access) configures an Aembit policy to grant access to the API. From then on, the developer does not need to use or manage credentials.
Quickly getting workload IDs from logs:
For the developer who used Auth0 to produce the API, it’s easier for other developers to consume their API, and it’s more secure. The combination of verifying workload identity alongside managing access through just-in-time credential delivery reduces the risk of a bad actor stealing and using the credentials.
For developers consuming an API service, this approach simplifies providing access within their application. They also have less to manage, as securing credentials is offloaded to Aembit.
For DevSecOps, this method offers enhanced security by allowing credentials to be managed centrally. Access is verified based on identity, rather than relying solely on the workload possessing credentials. This prevents credential reuse, which could lead to security or compliance issues. Conditional access can also be applied to ensure the requesting workload meets security posture requirements.
Future Vision for Aembit + Auth0
We’re excited about today’s release and believe it already simplifies and secures workload-to-workload access for those using Auth0. But we have big plans to expand on this work.
We aim to automate and integrate communication between Auth0 and Aembit. For organizations using both Auth0 and Aembit—such as developers on different teams needing access to each other’s APIs—we will continue integrating the services so that no humans need to manage highly privileged workload credentials.
We also want to simplify things for customers outside the organization by making it easier to manage these relationships as well.
We love Auth0’s vision of offloading security plumbing from developers and believe that together, we can go even further to ensure a better and more secure experience for our customers.