earlier replies
Replying to @barschachner @tlodderstedt @leastprivilege
Nah this is more a demonstration of why sticking to standards is a good idea, and why building an authorization server isn't a project that should be taken lightly.
2
1
I don’t see how this is related to the OIDC protocol flow. Can you please elaborate?
1
1
Sorry, the Apple vulnerability is not. It’s just my feeling that higher likelihood of logical bugs due to high complexity may also apply to OIDC (in combination with OAuth).
2
1
"The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability among implementations.... " openid.net/certification/
1
And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
1
"email_verified" : "True if the End-User's e-mail address has been verified; otherwise false....." openid.net/specs/openid-conn…
1
Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
1
My point is that OIDC has mechanisms to prevent this issue..
1
Please go read it again and understand the problem
1
Yes, thank you. I agree that RP should be simple and IdP should be handling the complexity. AFAIU, the OIDC spec is clear about the email_verified attribute.
1
Replying to @_VinodAnandan @barschachner @tlodderstedt @leastprivilege
The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.

May 31, 2020 · 4:36 PM UTC

1