Comment by nixosbestos

Comment by nixosbestos 4 days ago

Reinforcing the face-palm at the heart of this, which is that anyone deciding to you know, just use email instead of asking why an immutable ID changed... just probably enabled information leakage. Seriously, I'm so thankful that my colleagues would be principaled about this and ask questions instead of just doing something to make it "work". Where "work" means some GSuite user probably logged into some other defunct GSuite user's RP-account.

jeroenhd 3 days ago

The slides claim that this problem happens almost 600 times per week. There's no way it makes sense to manually validate all of those sessions.

The secure thing would be to kick those users out and tell them to go figure out with Google why their account IDs keep changing. The easy and more profitable solution is to just use the email address as an account ID and keep the customers.

Google did re-open the bug so I think there may be something wrong on Google's side, but for 99% of companies just using the `sub` value like it's intended to won't cause anyone any headache.

Reply View 1 reply

nixosbestos 3 days ago

1. The slides cite an anonymous, context-less, singular sentence claims that they change. With no indication of why they changed, or if that change was valid.
2. The sub can change, while keeping the same email, because it is in fact a different user. Just using the email is categorically wrong.
Again, so much hysterics, and I have serious doubts about the, thus unsubstantiated, entire premise.
Let me be more clear, I _do not believe that claim at all_. I find no other evidence of it. I've worked with RPs that allow Google auth and similarly have never experienced this or heard of it happening.

Reply View | 0 replies