Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-9275

The OAuth userinfo endpoint doesn't return a unique ID for "sub"



    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      The "sub" is currently the username, but it's supposed to be a unique value that's never reassigned. That's not currently the case, because editors can be renamed by admins (possibly taking the name of a previous deleted or renamed user). This poses a security issue in projects that assume account identity is entirely determined by the "sub" (which shouldn't be a wrong assumption).

      MBS-9271 would fix this for future cases by preventing usernames from ever being reused. Obviously, we wouldn't have a record of names used before that ticket is implemented, so it would only help with future deletions and renames.

      Another solution is to change the "sub" to something unique, like the user's row ID. This would break all OAuth clients that use the userinfo endpoint, unfortunately, unless we only give new "sub"s to accounts that have never used OAuth before, as suggested by Ulrich Klauer. Doing that would protect future uses of OAuth, but not previous uses. It's also not completely compatible with clients either; as shown above, CB also uses "sub" as the display_name.

      It's not an issue to fix OAuth clients within MeB, but we'll have to figure out what impact this has on external clients too.


          Issue Links



              • Assignee:
                bitmap Michael Wiencek
              • Votes:
                1 Vote for this issue
                3 Start watching this issue


                • Created:


                  Version Package