Table: auth0_signing_key - Query Auth0 Signing Keys using SQL
Auth0 Signing Keys are crucial components in the Auth0 security model, used for verifying the signature of incoming JWT tokens. These keys are primarily used in the process of authentication and authorization in applications. They are part of the wider Auth0 platform, a flexible and scalable solution for identity and access management.
Table Usage Guide
The auth0_signing_key table offers valuable insights into the signing keys within the Auth0 platform. If you're a security analyst or a developer, you can use this table to explore key-specific details, including the key ID, certificate, and associated metadata. This can be particularly useful for verifying the integrity of JWT tokens, ensuring secure user authentication, and maintaining the overall security posture of your applications.
Examples
For how long has current signing key been available
Explore the duration for which the current signing key has been active. This can help in identifying potential security risks and maintaining good practices by regularly updating keys.
select current_date - current_since as current_forfrom auth0_signing_keywhere current;select julianday('now') - julianday(current_since) as current_forfrom auth0_signing_keywhere current;Next signing key
Determine the upcoming signing key in your Auth0 environment to ensure smooth transitions of authentication processes and avoid unexpected service disruptions.
select kid, fingerprint, thumbprintfrom auth0_signing_keywhere next;select kid, fingerprint, thumbprintfrom auth0_signing_keywhere next;Previous signing key
Explore the history of signing keys to understand when a particular key was in use. This can be beneficial for auditing purposes or to trace back any security-related issues.
select kid, fingerprint, thumbprint, current_since, current_untilfrom auth0_signing_keywhere previous;select kid, fingerprint, thumbprint, current_since, current_untilfrom auth0_signing_keywhere previous = 1;Average time for which the previous signing keys were available
Determine the average duration for which previous authentication keys were available. This is useful for understanding the typical lifespan of keys, aiding in planning for key rotation schedules.
select avg(current_until - current_since) as average_durationfrom auth0_signing_keywhere previous;select avg( julianday(current_until) - julianday(current_since) ) as average_durationfrom auth0_signing_keywhere previous;Revoked signing keys
Assess the elements within your Auth0 system to identify and prioritize revoked signing keys. This allows you to maintain system integrity by focusing on keys that have been revoked, especially useful in high-security environments.
select kid, fingerprint, thumbprint, revoked_atfrom auth0_signing_keywhere revokedorder by revoked_at desc;select kid, fingerprint, thumbprint, revoked_atfrom auth0_signing_keywhere revokedorder by revoked_at desc;Schema for auth0_signing_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| cert | text | The public certificate of the signing key. | |
| current | boolean | True if the key is the the current key. | |
| current_since | timestamp with time zone | The date and time when the key became the current key. | |
| current_until | timestamp with time zone | The date and time when the current key was rotated. | |
| domain_name | text | =, !=, ~~, ~~*, !~~, !~~* | The name of the domain. |
| fingerprint | text | The cert fingerprint. | |
| kid | text | = | The key id of the signing key. |
| next | boolean | True if the key is the the next key. | |
| pkcs7 | text | The public certificate of the signing key in pkcs7 format. | |
| previous | boolean | True if the key is the the previous key. | |
| revoked | boolean | True if the key is revoked. | |
| revoked_at | timestamp with time zone | The date and time when the key was revoked. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| thumbprint | text | The cert thumbprint. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- auth0You can pass the configuration to the command with the --config argument:
steampipe_export_auth0 --config '<your_config>' auth0_signing_key