|
|
|
|
|
|
by banger180
522 days ago
|
|
|
> I wonder what action is causing the sub to change like the author suggests is happening. Indeed this would be very interesting. This issue is also very similar to CVE-2024-25618. What we did to mitigate this is the following:
- Federated login with OIDC
- Look for a user based on the sub claim
- If they are found: authenticate that user and optionally update their profile (email, name, ...) based on then new id claims.
- Else look for a user matching on the `email` claim and link the `sub` to that user
- If no user is found create a new one |
|
|