Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-9275

The OAuth userinfo endpoint doesn't return a unique ID for "sub"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • None
    • None

      The "sub" is currently the username, but it's supposed to be a unique value that's never reassigned. That's not currently the case, because editors can be renamed by admins (possibly taking the name of a previous deleted or renamed user). This poses a security issue in projects that assume account identity is entirely determined by the "sub" (which shouldn't be a wrong assumption).

      MBS-9271 would fix this for future cases by preventing usernames from ever being reused. Obviously, we wouldn't have a record of names used before that ticket is implemented, so it would only help with future deletions and renames.

      Another solution is to change the "sub" to something unique, like the user's row ID. This would break all OAuth clients that use the userinfo endpoint, unfortunately, unless we only give new "sub"s to accounts that have never used OAuth before, as suggested by Ulrich Klauer. Doing that would protect future uses of OAuth, but not previous uses. It's also not completely compatible with clients either; as shown above, CB also uses "sub" as the display_name.

      It's not an issue to fix OAuth clients within MeB, but we'll have to figure out what impact this has on external clients too.

            Unassigned Unassigned
            bitmap Michael Wiencek
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:

                Version Package