Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it safe to identify OpenID users by email address if the provider is trusted?

Tags:

security

openid

dotnetopenauth

I'm using DotNetOpenAuth for OpenID logins. Google's provider returns a different ClaimedIdentifier depending on the realm of the caller (hostname + port).

Is it safe for me to validate a login based on the email address returned by the OpenID authentication callback vs the claimed identifier itself? i.e. is there a way a user could forge their email address and thus gain access to another user's account if we validate on the email instead of the claimed ID?

I was thinking this would be OK to do as long as the provider is trusted - i.e. we can trust Google not to allow a user to sign in using someone else's email address.

like image 782
Jake Petroules Avatar asked Jan 28 '12 19:01

Jake Petroules

2 Answers

The OpenID 2.0 protocol's security model is built around the Claimed Identifier -- not the email address. So the best approach is to make your Realm consistent. If you can do that, that's the best approach.

It may also be a good idea to store the email address in your user's table so that if your realm ever must change (perhaps your company is purchased by another) you'll be able to migrate your users. But if you plan to do this, you should also store what the OP Endpoint was during authentication when you received the email address so you know whether you can trust it.

Generally, it's unsafe to trust the email address at all. If you trust the Provider (Google in your case) to provide you verified email addresses, then you may trust the email addresses if you verify that it is in fact the Provider that authenticated the user. This can only be done correctly by verifying the IAuthenticationResponse.Provider.Uri value is the one you trust. It cannot be done implicitly just by only offering a "Log in with Google" button because of OpenID's "unsolicited assertions" feature, which allows users to log in with arbitrary Providers regardless of what the RP offers in its UI. And it cannot be done by checking the domain of the Claimed Identifier because of the difference between claimed and local identifiers.

like image 67
Andrew Arnott Avatar answered Sep 26 '22 17:09

Andrew Arnott

I'd verify that the claimed ID is indeed a google one before using the e-mail in my comparison. That's how StackOverflow does it, too.

like image 36
cweiske Avatar answered Sep 23 '22 17:09

cweiske
Sign in to Comment

Related questions

Azure Service Bus security when at rest
Having a public API but only allowing access to requests sent from my website
What does the "disown-opener" Content Security Policy directive do?
Which capabilities can I drop in a Docker Nginx container?
android.security.KeyChainException: java.lang.IllegalStateException: uid <> doesn't have permission to access the requested alias
vuex empty state on logout
How to configure x509 client certificate based authentication to connect to AWS RDS based PostgreSQL
Access token vs username/password for api request
Firebase/Database - Version 2 Security Rules?
Reading the local password policy programmatically
i *must* store third party credentials in my database. best way?
How can I restrict access to some PHP pages only from pages within my website?
Tomcat secured static content
Is it possible to resign a signed .net dll with a different key pair?
Understanding 3rd party iframes security?
Does this mean my university is storing passwords insecurely?
How to throttle login attempts - PHP & MySQL & CodeIgniter
How to verify an XML signature in an iOS application?
A list of professionally-useful and safe file types?
What is the recommended approach for encrypting/decrypting large text data in MySQL?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!