Auth0 and Vue: A Match Made in Heaven for Secure App Development

Rate this content
Bookmark

FAQ

Tyler Clark is a staff developer advocate at Auth0 by Okta. He has around nine years of experience in the technology field, primarily working with JavaScript on both front-end and back-end development. He has been involved in projects for small to enterprise-level companies.

The three most common security threats mentioned are brute force attacks, credential stuffing, and phishing. These involve hackers using trial and error to guess passwords, reusing compromised credentials on multiple sites, and tricking users into providing their credentials through fake websites, respectively.

WebAuthn, short for Web Authentication API, is a browser-integrated API that facilitates passwordless authentication using biometrics or single-use tokens. It provides a more secure form of authentication as it eliminates the need for passwords, reducing the risk of phishing and other password-related breaches.

In Vue applications, WebAuthn can be implemented to register and authenticate users using biometrics or one-time tokens without passwords. This involves creating and retrieving credentials using the navigator.credentials.create and navigator.credentials.get functions, respectively, enhancing security by utilizing private and public key pairs.

Yes, WebAuthn is built into web platforms like Chrome and can be used directly through the browser's navigator object without needing an identity solution provider like Auth0. This makes it accessible for developers to implement enhanced security measures in their applications directly.

Password managers like 1Password simplify password management by securely storing various passwords and automatically filling them when needed. They help in creating and managing complex passwords, significantly reducing the risk of breaches due to weak or reused passwords.

WebAuthn is supported by major modern browsers, including Chrome, which integrates the API into its platform. This widespread support allows developers to implement WebAuthn across different user bases, enhancing security across various web applications.

Tyler Clark
Tyler Clark
9 min
15 May, 2023

Comments

Sign in or register to post your comment.

Video Summary and Transcription

Hello Vue.js live. My name is Tyler Clark and today I'm giving a talk titled, Vue.js – Building secure applications. I'll be discussing the biggest app threats today, including brute force attacks, credential stuffing, and phishing. I'll also present solutions like WebAuthn for passwordless authentication using biometrics. As you can see here, use the credentials.create function to get a challenge from a server request. Then, pass the necessary information about the user and the acceptable public key types to the server. WebAuthn eliminates password-based flows, creating a secure private and public key pair.

1. Introduction to Vue.js and App Security

Short description:

Hello Vue.js live. My name is Tyler Clark and today I'm giving a talk titled, Vue.js – Building secure applications. I'm a staff developer advocate at Auth0 by Okta with nine years of experience in the technology space. I'll be discussing the biggest app threats today, including brute force attacks, credential stuffing, and phishing. I'll also present solutions like WebAuthn for passwordless authentication using biometrics.

Hello Vue.js live. First of all, thanks for having me. I'm glad to be here and speaking with you all today.

My name is Tyler Clark and today I'm giving a talk titled, Vue.js – Building secure applications. A quick little blurb about me, my name is Tyler Clark again. I'm a staff developer advocate at Auth0 by Okta. I've worked in the technology space for about nine years now, mostly JavaScript, mostly front-end and back-end, but I've kind of done a little bit of everything for small companies all the way up to enterprise-level companies. You can find me in two places, Twitter at I Am Tyler W Clark, you can also find me at Edcad.io, I've got a bunch of courses on there, and I'm going to be in the conference Discord, so please find me there and ask me any kind of follow-up questions because I'm sure you'll have some by the end of this talk.

All right, this is a lightning talk, I only have about seven minutes so let's jump right to it. Security is, well, just not an easy thing to talk about, especially in a timeframe of seven minutes, but we're going to do our best today. I do want to talk about some of the biggest app threats today that we see a lot of these breaches that come from. I have a couple solutions that you can add and apply through a Vue app, and then at the very end I'm going to give some links to take this a little bit further.

Now the three most common security threats on applications today are brute force attacks, credential stuffing and phishing. Brute force attacks is basically just an excessive amount of trial and errors that hackers use to try to guess your password. Credential stuffing is where you've used the same identifier email or username and password combination on one site, that site gets breached, and then hackers take that information and try to access other applications that those users might have used with the same combinations and try to get access to that. And phishing is where you might get an email that looks like it's from Amazon, you click on the link, it looks like it's an Amazon splash page, you give it your username and password, and it turns out it's not Amazon and you've just given away your username and password.

So look, passwords suck, everyone hates them, that's why things like 1Password and these password managers are so popular because it's a one stop shop, it automatically fills in, but it sucks that we still have to have that today. So what are our options today as developers in our Vue applications? So there are three that I want to talk about here, but today I'm going to share the code this top one, WebAuthn, which uses biometrics like your fingerprint or your iris to sign into an application. Or there's another common word you can send an email or a text message that has a one time password that users could then take and then enter into your login screen that automatically logs users in. Both of these automatically log users in without the need of a password, so there's no potential of it being breached there.

So what is WebAuthn? WebAuthn is slang for the Web Authentication API. It's built into platforms like the browser. Authenticating with WebAuthn based biometrics is the equivalent to MFA. So it basically means that when you authenticate once, as you can see in the slide here, no further multi-factor authentication is needed. So you'll see multi-factor authentication means that somebody uses a password in login and then after that they also need to provide like a text and a code to enter into. Authentication requires multiple factors to get in, but if you use WebAuthn, that counts for both. WebAuthn based passwordless authentication is unphishable, which I talked about in that other slide. Now I said it's built into platforms like Chrome, so it's not required to use some type of identity solution company like Auth0 to be able to use this in your app today. It's built into Chrome. It's using the Navigator object.

2. WebAuthn Registration and Authentication

Short description:

As you can see here, use the credentials.create function to get a challenge from a server request. Then, pass the necessary information about the user and the acceptable public key types to the server. After the user completes the registration, they can log in and reauthenticate by providing an assertion generated by the navigator object's .credentials.get method.

As you can see here, use this credentials.create function passing in some code, which I'm going to show you here in a moment. And you might be thinking, what is the support on this? Like you use Safari. You have users on Edge or Internet Explorer. Here is a quick little glance on the browser support for WebAuthn.

All right, let's jump right into the code here as I'm running out of time. Let's say that we've got two buttons here. We've got a register and a login button that we're using in our component. It's got a register and login function.

So first up, let's talk about the register function. Right off the bat, you'll see that we're getting a challenge from a server request here. This is a server request that we own. A challenge is basically just a randomly generated bytes. It's used to prevent replay attacks. This right here, this await navigator is what I just talked about. This is built into the browser, it's off the window object. And this is the navigator object that provides this credentials.create. You'll see inside of here we're passing it an object and there is an RP here, basically means responsible party. So this is the one that's responsible for registering and authenticating this particular user that's trying to create an account. Given that user, this user object is going to be the information about the user that's currently registering.

You'll see that there's a name, there's an ID and there's a display name. And the last required piece in this object is pubkey cred params. So inside of this you're going to see it's an array of objects that describes what public key types are acceptable to the server. And then inside of that you'll see a type public key and there's an ALG negative seven. That number there defines what type of algorithm, signature algorithm that's going to be used to create this. And then after that we post to that same route, but this is a post providing the response back from this credential.

Now after a user has completed registering for their account, they've left, they've come back, they're ready to log in and reauthenticate. During this authentication the user needs to prove that they own the private key that they registered with initially. They're going to do so by providing an assertion. And this is generated by doing this .credentials.git on the navigator object. This is going to retrieve the credential generated during the registration with the signature included.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Everything Beyond State Management in Stores with Pinia
Vue.js London Live 2021Vue.js London Live 2021
34 min
Everything Beyond State Management in Stores with Pinia
Top Content
State management is not limited to complex applications and transitioning to a store offers significant benefits. Pinia is a centralized state management solution compatible with Vue 2 and Vue 3, providing advanced devtools support and extensibility with plugins. The core API of Pinia is similar to Vuex, but with a less verbose version of stores and powerful plugins. Pinia allows for easy state inspection, error handling, and testing. It is recommended to create one file per store for better organization and Pinia offers a more efficient performance compared to V-rex.
Welcome to Nuxt 3
Vue.js London Live 2021Vue.js London Live 2021
29 min
Welcome to Nuxt 3
Top Content
Nux3 has made significant improvements in performance, output optimization, and serverless support. Nuxt Bridge brings the Nitro engine for enhanced performance and easier transition between Nuxt 2 and Nuxt Read. Nuxt 3 supports Webpack 5, Bytes, and Vue 3. NextLab has developed brand new websites using Docus technology. Nuxt.js is recommended for building apps faster and simpler, and Nuxt 2 should be used before migrating to Nuxt 3 for stability. DOCUS is a new project that combines Nuxt with additional features like content modules and an admin panel.
One Year Into Vue 3
Vue.js London Live 2021Vue.js London Live 2021
20 min
One Year Into Vue 3
Top Content
Vue 3 has seen significant adoption and improvements in performance, bundle size, architecture, and TypeScript integration. The ecosystem around Vue 3 is catching up, with new tools and frameworks being developed. The Vue.js.org documentation is undergoing a complete overhaul. PNIA is emerging as the go-to state management solution for Vue 3. The options API and composition API are both viable options in Vue 3, with the choice depending on factors such as complexity and familiarity with TypeScript. Vue 3 continues to support CDN installation and is recommended for new projects.
Utilising Rust from Vue with WebAssembly
Vue.js London Live 2021Vue.js London Live 2021
8 min
Utilising Rust from Vue with WebAssembly
Top Content
In this Talk, the speaker demonstrates how to use Rust with WebAssembly in a Vue.js project. They explain that WebAssembly is a binary format that allows for high-performance code and less memory usage in the browser. The speaker shows how to build a Rust example using the WasmPack tool and integrate it into a Vue template. They also demonstrate how to call Rust code from a Vue component and deploy the resulting package to npm for easy sharing and consumption.
Vue: Feature Updates
Vue.js London 2023Vue.js London 2023
44 min
Vue: Feature Updates
Top Content
The Talk discusses the recent feature updates in Vue 3.3, focusing on script setup and TypeScript support. It covers improvements in defining props using imported types and complex types support. The introduction of generic components and reworked signatures for defined components provides more flexibility and better type support. Other features include automatic inference of runtime props, improved define emits and defined slots, and experimental features like reactive props destructure and define model. The Talk also mentions future plans for Vue, including stabilizing suspense and enhancing computer invalidations.
Local State and Server Cache: Finding a Balance
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
This Talk discusses handling local state in software development, particularly when dealing with asynchronous behavior and API requests. It explores the challenges of managing global state and the need for actions when handling server data. The Talk also highlights the issue of fetching data not in Vuex and the challenges of keeping data up-to-date in Vuex. It mentions alternative tools like Apollo Client and React Query for handling local state. The Talk concludes with a discussion on GitLab going public and the celebration that followed.

Workshops on related topic

Vue3: Modern Frontend App Development
Vue.js London Live 2021Vue.js London Live 2021
169 min
Vue3: Modern Frontend App Development
Top Content
Featured WorkshopFree
Mikhail Kuznetsov
Mikhail Kuznetsov
The Vue3 has been released in mid-2020. Besides many improvements and optimizations, the main feature of Vue3 brings is the Composition API – a new way to write and reuse reactive code. Let's learn more about how to use Composition API efficiently.

Besides core Vue3 features we'll explain examples of how to use popular libraries with Vue3.

Table of contents:
- Introduction to Vue3
- Composition API
- Core libraries
- Vue3 ecosystem

Prerequisites:
IDE of choice (Inellij or VSC) installed
Nodejs + NPM
Using Nitro – Building an App with the Latest Nuxt Rendering Engine
Vue.js London Live 2021Vue.js London Live 2021
117 min
Using Nitro – Building an App with the Latest Nuxt Rendering Engine
Top Content
Workshop
Daniel Roe
Daniel Roe
We'll build a Nuxt project together from scratch using Nitro, the new Nuxt rendering engine, and Nuxt Bridge. We'll explore some of the ways that you can use and deploy Nitro, whilst building a application together with some of the real-world constraints you'd face when deploying an app for your enterprise. Along the way, fire your questions at me and I'll do my best to answer them.
Monitoring 101 for React Developers
React Summit US 2023React Summit US 2023
107 min
Monitoring 101 for React Developers
Top Content
WorkshopFree
Lazar Nikolov
Sarah Guthals
2 authors
If finding errors in your frontend project is like searching for a needle in a code haystack, then Sentry error monitoring can be your metal detector. Learn the basics of error monitoring with Sentry. Whether you are running a React, Angular, Vue, or just “vanilla” JavaScript, see how Sentry can help you find the who, what, when and where behind errors in your frontend project. 
Workshop level: Intermediate
Going on an adventure with Nuxt 3, Motion UI and Azure
JSNation 2022JSNation 2022
141 min
Going on an adventure with Nuxt 3, Motion UI and Azure
WorkshopFree
Melanie de Leeuw
Melanie de Leeuw
We love easily created and deployed web applications! So, let’s see what a very current tech stack like Nuxt 3, Motion UI and Azure Static Web Apps can do for us. It could very well be a golden trio in modern day web development. Or it could be a fire pit of bugs and errors. Either way it will be a learning adventure for us all. Nuxt 3 has been released just a few months ago, and we cannot wait any longer to explore its new features like its acceptance of Vue 3 and the Nitro Engine. We add a bit of pizzazz to our application with the Sass library Motion UI, because static design is out, and animations are in again.Our driving power of the stack will be Azure. Azure static web apps are new, close to production and a nifty and quick way for developers to deploy their websites. So of course, we must try this out.With some sprinkled Azure Functions on top, we will explore what web development in 2022 can do.
TresJS create 3D experiences declaratively with Vue Components
Vue.js London 2023Vue.js London 2023
137 min
TresJS create 3D experiences declaratively with Vue Components
Workshop
Alvaro Saburido
Alvaro Saburido
- Intro 3D - Intro WebGL- ThreeJS- Why TresJS- Installation or Stackblitz setup - Core Basics- Setting up the Canvas- Scene- Camera- Adding an object- Geometries- Arguments- Props- Slots- The Loop- UseRenderLoop composable- Before and After rendering callbacks- Basic Animations- Materials- Basic Material- Normal Material- Toon Material- Lambert Material- Standard and Physical Material- Metalness, roughness - Lights- AmbientLight- DirectionalLight- PointLights- Shadows- Textures- Loading textures with useTextures- Tips and tricks- Misc- Orbit Controls- Loading models with Cientos- Debugging your scene- Performance
Building Vue forms with VeeValidate
Vue.js London Live 2021Vue.js London Live 2021
176 min
Building Vue forms with VeeValidate
Workshop
Abdelrahman Awad
Abdelrahman Awad
In this workshop, you will learn how to use vee-validate to handle form validation, manage form values and handle submissions effectively. We will start from the basics with a simple login form all the way to using the composition API and building repeatable and multistep forms.

Table of contents:
- Introduction to vee-validate
- Building a basic form with vee-validate components
- Handling validation and form submissions
- Building validatable input components with the composition API
- Field Arrays and repeatable inputs
- Building a multistep form
Prerequisites:
VSCode setup and an empty Vite + Vue project.