Comment by erincandescent

Comment by erincandescent 4 days ago

4 replies

View on Hacker News

> To resolve this issue, Google could implement two immutable identifiers within > its OpenID Connect (OIDC) claims: > 1. A unique user ID that doesn’t change over time. > 2. A unique workspace ID tied to the domain.

1. is the OIDC `sub` claim! I strongly suspect that in those 0.04% of accounts where the anonymous quoted engineer reports that the `sub` claim changed, what actually happened was some provisioning/onboarding/offboarding system resulted in the account being deleted and recreated.

2. is sensible, and is just a versioned version of the `hd` claim.

anon84873628 4 days ago

1. Yep, your hypothesis seems likely. Consumer gmail addresses can't be used again after they are deleted, but it seems in Workspace orgs they can be reused/reassigned after 20 days: https://support.google.com/a/answer/33314?hl=en&co=DASHER._F...

If services are not respecting the `sub` claim in this case, then they are giving the new Google account access to the old account's data. Companies probably wouldn't complain about this because they think it is the expected/reasonable behavior. Also it's likely that in many scenarios it is the same human behind the different accounts, e.g. if they leave a company then return.

Reply View 3 replies
  • nixosbestos 4 days ago

    Reinforcing the face-palm at the heart of this, which is that anyone deciding to you know, just use email instead of asking why an immutable ID changed... just probably enabled information leakage. Seriously, I'm so thankful that my colleagues would be principaled about this and ask questions instead of just doing something to make it "work". Where "work" means some GSuite user probably logged into some other defunct GSuite user's RP-account.

    Reply View 2 replies
    • jeroenhd 3 days ago

      The slides claim that this problem happens almost 600 times per week. There's no way it makes sense to manually validate all of those sessions.

      The secure thing would be to kick those users out and tell them to go figure out with Google why their account IDs keep changing. The easy and more profitable solution is to just use the email address as an account ID and keep the customers.

      Google did re-open the bug so I think there may be something wrong on Google's side, but for 99% of companies just using the `sub` value like it's intended to won't cause anyone any headache.

      Reply View 1 reply
      • nixosbestos 3 days ago

        1. The slides cite an anonymous, context-less, singular sentence claims that they change. With no indication of why they changed, or if that change was valid.

        2. The sub can change, while keeping the same email, because it is in fact a different user. Just using the email is categorically wrong.

        Again, so much hysterics, and I have serious doubts about the, thus unsubstantiated, entire premise.

        Let me be more clear, I _do not believe that claim at all_. I find no other evidence of it. I've worked with RPs that allow Google auth and similarly have never experienced this or heard of it happening.

        Reply View 0 replies