earlier replies
Replying to @tlodderstedt @aaronpk @leastprivilege
Sorry, the Apple vulnerability is not. It’s just my feeling that higher likelihood of logical bugs due to high complexity may also apply to OIDC (in combination with OAuth).
2
1
"The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to be certified to specific conformance profiles to promote interoperability among implementations.... " openid.net/certification/
1
And? certification wouldn't have caught this bug since it wasn't a problem with the OIDC part of the exchange.
1
"email_verified" : "True if the End-User's e-mail address has been verified; otherwise false....." openid.net/specs/openid-conn…
1
Go read the writeup again. The original post wasn't the clearest explanation of the problem but I also posted some more details in this thread that make it clearer.
1
My point is that OIDC has mechanisms to prevent this issue..
1
Please go read it again and understand the problem
1
Yes, thank you. I agree that RP should be simple and IdP should be handling the complexity. AFAIU, the OIDC spec is clear about the email_verified attribute.
1
The original post didn’t make this clear, so I’m writing a new post to hopefully better explain the problem. You’ll see that it has nothing to do with OIDC at all. Link coming shortly, I hope.
1
Thanks, that will be greatly appreciated. If you could also include the sample id_token in the post, it would help to clarify some doubts.
1