jared on Nostr: In any authentication scenarios that are claims based (SAML, OIDC/OAuth), it’s the ...
In any authentication scenarios that are claims based (SAML, OIDC/OAuth), it’s the responsibility of the app developers to select an immutable identifier claim but many developers will select email address (or a similar claim like upn) which relies on domain names that can be reused (thus not immutable).
So, this type of vulnerability likely exists in many apps regardless of the identity provider.
However, the problem here is that the identity provider doesn’t provide any consistent immutable identifiers for the app developers to have chosen.
So, this type of vulnerability likely exists in many apps regardless of the identity provider.
However, the problem here is that the identity provider doesn’t provide any consistent immutable identifiers for the app developers to have chosen.