Comment by simiones

Comment by simiones 4 days ago

2 replies

View on Hacker News

I would be curious if any other Identity Providers that implement OAuth have mitigations for this issue. If you used sign in with Microsoft or Okta or PingFederate, would those provide different claims to the service?

ratg13 4 days ago

Every provider has their own set of flaws.

Microsoft had a flaw for awhile where you could just change a user’s email to anything with no verification.. and if the SSO implementer was only checking the email field, you could impersonate anyone.

Reply View 0 replies
p_ing 4 days ago

Ideally the trust with the SP would be using a cert. This requires the SP to implement this portion of the standard and the IT department to follow through with implementing a cert. The cert can be self-generated, so there isn't a cost for the cert itself.

Reply View 0 replies