← Back to context

Comment by banger180

4 days ago

> I wonder what action is causing the sub to change like the author suggests is happening.

Indeed this would be very interesting.

This issue is also very similar to CVE-2024-25618.

What we did to mitigate this is the following: - Federated login with OIDC - Look for a user based on the sub claim - If they are found: authenticate that user and optionally update their profile (email, name, ...) based on then new id claims. - Else look for a user matching on the `email` claim and link the `sub` to that user - If no user is found create a new one

0 comments

banger180

Reply