Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to identify OpenID users by email address if the provider is trusted?

I'm using DotNetOpenAuth for OpenID logins. Google's provider returns a different ClaimedIdentifier depending on the realm of the caller (hostname + port).

Is it safe for me to validate a login based on the email address returned by the OpenID authentication callback vs the claimed identifier itself? i.e. is there a way a user could forge their email address and thus gain access to another user's account if we validate on the email instead of the claimed ID?

I was thinking this would be OK to do as long as the provider is trusted - i.e. we can trust Google not to allow a user to sign in using someone else's email address.

like image 782
Jake Petroules Avatar asked Jan 28 '12 19:01

Jake Petroules


2 Answers

The OpenID 2.0 protocol's security model is built around the Claimed Identifier -- not the email address. So the best approach is to make your Realm consistent. If you can do that, that's the best approach.

It may also be a good idea to store the email address in your user's table so that if your realm ever must change (perhaps your company is purchased by another) you'll be able to migrate your users. But if you plan to do this, you should also store what the OP Endpoint was during authentication when you received the email address so you know whether you can trust it.

Generally, it's unsafe to trust the email address at all. If you trust the Provider (Google in your case) to provide you verified email addresses, then you may trust the email addresses if you verify that it is in fact the Provider that authenticated the user. This can only be done correctly by verifying the IAuthenticationResponse.Provider.Uri value is the one you trust. It cannot be done implicitly just by only offering a "Log in with Google" button because of OpenID's "unsolicited assertions" feature, which allows users to log in with arbitrary Providers regardless of what the RP offers in its UI. And it cannot be done by checking the domain of the Claimed Identifier because of the difference between claimed and local identifiers.

like image 67
Andrew Arnott Avatar answered Sep 26 '22 17:09

Andrew Arnott


I'd verify that the claimed ID is indeed a google one before using the e-mail in my comparison. That's how StackOverflow does it, too.

like image 36
cweiske Avatar answered Sep 23 '22 17:09

cweiske