Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add requirement about segmentation of SSO identities #2150

Open
randomstuff opened this issue Oct 15, 2024 · 4 comments
Open

Add requirement about segmentation of SSO identities #2150

randomstuff opened this issue Oct 15, 2024 · 4 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V2 V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@randomstuff
Copy link

In the context of OpenID Connect, I was wondering whether a requirement mandating that user identities from different IdPs are properly separated i.e. that a IdP cannot spoof a user from another IdP. This is actually relevant for any SSOs and might go into V2.

Original wording:

Verify that, if multiple identity providers are used by a RP, the identity of a user from an identity provider cannot be spoofed by another identity provider (by using the same user identifier).

Alternative wording:

Verify that, if multiple identity providers are used by a relying party, a malicious identity provider cannot login as users from another identity provider (eg. by using the same user identifier).

The wording should reject unintended/malicious spoofing of user identities but still allow cases where the sharing of user identities between different IdP is intended / by design.
@randomstuff randomstuff changed the title Add requirement about proper segmentation of SSO identities Add requirement about segmentation of SSO identities Oct 15, 2024
@elarlang elarlang added the V2 label Oct 16, 2024
@elarlang elarlang mentioned this issue Oct 16, 2024
Closed
@TobiasAhnoff
Copy link

I was thinking that this is not limited to users, it could also be an issue for machine-to-machine (OAuth client credentials), all scenarios where the RP use multiple identity providers (issuers).

Maybe have something that not only for OIDC, or do we already address this in other issues?

Verify that, if multiple identity providers are used by a RP, the identity from one identity provider cannot be spoofed by another identity provider (by using the same user identifier).

or, from the JWT spec "The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.

Verify that, if multiple identity providers are used by a RP, the identity MUST either be scoped to be locally unique in the context of the issuer or be globally unique.

@randomstuff
Copy link
Author

randomstuff commented Oct 16, 2024
edited
Loading

Maybe have something that not only for OIDC, or do we already address this in other issues?

Yes, that's why I was suggesting it should go into the V2 chapter (instead of the OIDC one) and was avoiding OIDC-specific terms. This would equally apply other user type of user identity sources (SAML, LDAP, CAS, etc.).

@tghosth tghosth added _5.0 - prep This needs to be addressed to prepare 5.0 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet labels Oct 22, 2024
@elarlang elarlang added the V51 Group issues related to OAuth label Oct 25, 2024
@elarlang
Copy link
Collaborator

Steps here:

  • formulate requirement text
  • check we don't have duplicates in V51
  • think about suitable section

@elarlang
Copy link
Collaborator

ping @tghosth as it is in V2 area

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V2 V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@randomstuff @TobiasAhnoff @tghosth @elarlang