Account Association Security Threats for Google Single Sign-On (opens in new tab)

(blog.idonethis.com)

17 pointsmikesun13y ago2 comments

2 comments

2 comments · 1 top-level

stickfigure13y ago· 1 in thread

TL;DR: Be conscious of who you trust. OpenID AX attributes may give you an email address, but this creates two potential issues:

* Can you be sure that the attribute has not been tampered with in transit? Check the signature (or make sure your library is checking the signature).

* Can you trust the OpenID provider to give you a correct and verified email address? Maybe if that provider is Google. Anyone else, probably not.

I prefer Mozilla Persona's approach to this problem; your identity effectively is an email address. It's also trivial to integrate.

mikesunOP13y ago

You're exactly right stickfigure.

* You have to make sure the attributes are properly signed by the OpenID provider which is what the security advisories by Google and OpenID foundation were about.

* You can't trust any OpenID provider to give you a correct and verified email address. For the specific case of Google single sign-on, you can trust the Google OpenID provider.

j / k navigate · click thread line to collapse