CIAM by example in four recipes: Build for data privacy and compliance
|
This recipe is part of the series Learn CIAM by example: Four recipes to improve your app’s security and UX. You can learn more about the series by downloading our four recipes in a cookbook format. In this recipe, you learn how to add passwordless auth to your application using passkeys. |
Consumers want to see and do more digitally, and they trust brands that are clear about how their information is used to deliver value.
Getting data privacy right for any user, whether they're your employee, a customer, or someone on contract, is rarely a one-time consideration.
Different regulatory bodies have different compliance requirements depending on the type of data you're working with, whether it’s user access to health information (HIPAA) or personal information relating to individuals in the EU (GDPR).
Data privacy compliance is more than just obtaining the appropriate consent. It’s a framework for appropriate access, which includes the security of your consumer data.
Why is data privacy compliance important?
With bigger organizations comes greater responsibility regarding the depth of compliance required by regulations like GDPR and CCPA. That said, no organization — even the smallest one — is off the hook when it comes to data privacy — and security is a major component of data privacy.
Think about how privacy works in the real world. You can put four walls and a door around just about anything. But if the door doesn’t have a lock, is that space private?
Phase 1: Implement an audit log
Per GDPR and CCPA, organizations great and small are obliged to certain auditing practices, and the foundation of these practices begins with an audit compliance layer, also known as an audit log.
Unlike SIEM or system logging tools, audit logging relays the impact of a security incident in a readable prompt — like a historical record of events — to assess the risk associated with an individual’s or group’s actions on your platform, as compared to the permissions they have, and raise a red flag when they don’t match.
With Auth0 by Okta, you don’t need to build your audit log stream. Our logs are ready for auditing out-of-the-box, with several compliance certifications built in to help support compliance readiness.
However, that’s only the beginning. Audit logs tell you what parts of your platform are frequented and what data is visible to your lowest common denominator. It’s up to organizations to mobilize these insights into tangible protection for their consumers and provide tools that give them control over their data.
Phase 2: Consent
Data privacy laws may require organizations to obtain appropriate consent before processing personal data. With Auth0 by Okta professional and enterprise, customers can obtain consent using Custom Prompts.
Custom Prompts is a feature built on the Liquid template language, designed to give developers enhanced control over the login and signup experience, with partial templates at various entry points. Basically, with a bit of HTML, CSS, and Javascript, teams can bootstrap their consent efforts with Auth0 by Okta’s cloud-hosted Universal Login.
These partial templates can accomplish granular consent and capture other information at different points in the authentication journey, powered by Auth0 by Okta Actions. In this recipe, we will add a signup prompt using Actions.
Recipe
Ingredients
- Universal Login
- Custom Domain (Branding > Custom Domains)
- Custom Page Template
- Let’s load our partial consent template into our login with an API call.
Here’s the consent partial.
|
<div class="ulp-field"> <input type="checkbox" name="ulp-terms-of-service" id="terms-of-service"> <label for="terms-of-service"> I accept the <a href="https://example.com/tos">terms and conditions</a> </label> </div> |
Add this to a curl command, and go.
|
# Add your own tenant info URL='https://TENANT.ENVIRONMENT.auth0.com/api/v2/prompts/signup/partials' TOKEN='eyJhbGci…'
curl -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $TOKEN" \ -d "{\"signup\":{\"form-content-end\":\" <div class= 'ulp-field '> <input type= 'checkbox ' name= 'ulp-terms-of-service ' id= 'terms-of-service '> <label for= 'terms-of-service '> I accept the <a href= 'https://example.com/tos '>terms and conditions</a> </label> </div> " \ "$URL" |
- Since Universal Login is ready to support consistent, branded UX, your custom partials will fit right in with the rest of the UI:
|
|
- ITo secure this client-side code, we need to take the extra step of creating server-side validation — in the form of a pre-user-registration Action — by navigating to Actions > Library > Build Custom:
- Add the following code to the Action, which will prevent form validation without consent, then Deploy to save:
|
exports.onExecutePreUserRegistration = async (event, api) => { const termsOfService = event.request.body['ulp-terms-of-service']; if(!termsOfService) { api.validation.error("invalid_payload", "Please review the terms of service."); return; } api.user.setUserMetadata("termsOfService", true); }; |
- Navigate to Flows > Pre User Registration, and add your Custom Action:
- Now, when your user gives consent, this will be documented in their profile (User Management > Users) under user_metadata:
Phase 3: Preference Center
Data privacy compliance requires that users consent to the collection and use of their personal data and can revoke it and access or correct their data or delete it from your platform.
A Preference Center is a place where users go to manage their preferences, including the newsletters they signed up for and any other service in between that requires explicit consent.
When organizations invest in an identity solution like Auth0 by Okta, Building preference centers are a breeze through the Auth0 Management API.
Phase ∞: Data security
Malicious actors are just as active as organizations in finding ways to harness the latest technology. Data security has no end game, but Auth0 by Okta has powerful tools and expert personnel at your disposal to keep fraudulent activity off your platform.
What's next?
With your application secure and compliant, it's time to use CIAM to get a universal view of your consumer across multiple channels.
In our next recipe, we’ll explore CIAM's extensibility by integrating your consumer data into a marketing system. If you want to see that, plus all other recipes, in a comprehensive guide, download our cookbook.
