Access Keys, Secrets Scanning, and Revocation
Authress provides automatic secrets scanning and revocation for your exposed Service Client Access Keys. The access keys generated secure your service clients, and it is critically important to keep these access keys secret at all times.
However, it is possible that some of these access keys might end up in your source code repositories, and so Authress utilizes our its internal tools as well as partnerships with GitHub, GitLab, as well as others secret scanning programs such as Gitleaks.
Automated Processโ
Authress searches for instances of exposed service client access keys. The key aspects of this program are:
1. Detectionโ
Authress searches for strings matching our token regex. Token usually look something like this:
sc_aNySQ.iocD.acc_9647aa001.MC4CAQAwBQYDK2VwBCIEIEWKzNhYSfa72U
And all of them follow this regex:
// Parts are separated by a `.` period:
/^(sc|ext|scauth|authress)_[a-zA-Z0-9]{5,30}\.[a-zA-Z0-9]{4,6}\.acc[_-][a-z0-9-]{10,32}\.[a-zA-Z0-9+/_=-]{30,120}$/
// 1. Starts with sc or ext
(sc|ext)_
// 2. followed by the service client ID
[a-zA-Z0-9]{5,30}
// 3. access key ID
[a-zA-Z0-9]{4,6}
// 4. your account ID
acc_[a-z0-9-]{10,32}
// 5. The raw private key
[a-zA-Z0-9+/-_]{30,120}
2. Revocationโ
When Authress detects one of these tokens either directly or via one of our partners' secret scanning programs, these tokens will be automatically revoked. Preventing any long term vulnerabilities as a result of these exposed tokens. These tokens will be immediately removed from your account and blocked.
Be prepared to handle issues when the usage of these tokens are revoked. If you find a reason where you need to store a publicly accessible Authress Service Client Access Key, please reach out to our Support so we can better understand your use case.
3. Alertingโ
After the revocation of the Service Client Access Key an email will be sent to your Account Contact to alert you of this activity in your account. There is no action required on your side, but you want to follow up review how this happened so help prevent additional issues.
4. Remediationโ
When one of your tokens gets revoked due to exposure here are the recommended steps to take to follow up on this action:
- Monitoring your API usage of Authress due to potential failed token generation using the Authress Audit Streams
- Review your git repositories for where this secret was stored
- If necessary generate new Service Client Access Tokens for the affected Service Client
- If one of your user's exposed this credentials work with them to ensure better handling of credentials
- Potentially review secret encryption using a key management service
CI/CD Token usageโ
Authress provides OIDC token integration support already for every OIDC compatible provider, GitHub, GitLab, Terraform, etc... So that in these environments, Service Client Access Key are not necessary. There is more about this in the OIDC Token integration guide.