Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new default behavior to reject a link in an OIDC IdP if email_verified is present and is false #2423

Closed
5 tasks done
robotdan opened this issue Aug 14, 2023 · 3 comments
Closed
5 tasks done

Add new default behavior to reject a link in an OIDC IdP if email_verified is present and is false #2423

robotdan opened this issue Aug 14, 2023 · 3 comments
Assignees
@robotdan
Labels
changed
Projects
FusionAuth Issues
Milestone
1.48.0

Comments

@robotdan
Copy link
Member

robotdan commented Aug 14, 2023
edited

Add new default behavior to reject a link in an OIDC IdP if email_verified is present and is false

Description

When you configure an IdP in FusionAuth you always need to be sure you trust this 3rd party. However, to provide additional built in protection, if the IdP does offer the email_verified claim in the UserInfo response, and the value is false we should fail to link on email.

Workaround

If your Identity Provider returns the email_verified claim in the Userinfo response, you may inspect this claim in the OpenID Connect Reconcile lambda and if it is provided and false, you could choose to throw an exception which would fail the login attempt.

While this will technically work, it is a poor user experience, and the error will not be helpful to the end user.

Additional information

This problem can apply to any IdP. However, IdPs such as Azure AD make it a bit more complicated because an AD connection can be configured to Use Common Endpoint which means a user can authenticate with any Azure AD tenant.

Auth0 has added some specific configuration for using Azure AD. In summary they allow you to consider all emails verified, or all emails unverified when using this connection. When configure to consider all emails un-verified, they force an email verification workflow inline during the first authentication. See https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azuread-adfs-email-verification.

We could consider adding this for all IdPs. This specific issue is really only addressing the OIDC IdP configuration. But we could consider adding a configuration for any IdP to indicate if FusionAuth should trust emails from the 3rd party knowing that we cannot know if the email is verified, not verified, or has been mutated at runtime.

Related

Documentation

  • New API parameter on the OpenID Connect IdP
  • New field in the UI on the OpenID Connect IdP configuration
  • New API parameter on the ExternalJWT IdP
  • New field in the UI on the External JWT IdP configuration
  • New error that can occur for External JWT or OpenID Connect when email is not verified. UnverifiedEmail and new themed message [ExternalAuthenticationException]UnverifiedEmail.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Release Notes

When the OpenID Connect or External JWT Identity Provider is configured to Link by Email and the IdP returns a claim named email_verified and the value is false, the link request will be rejected. This change is intended to reduce the risk of linking on an un-verified email address.
@robotdan robotdan added the enhancement New feature or request label Aug 14, 2023
@robotdan robotdan added this to the 1.48.0 milestone Aug 14, 2023
@robotdan robotdan self-assigned this Aug 14, 2023
@robotdan robotdan added this to Backlog in FusionAuth Issues via automation Aug 14, 2023
@mooreds
Copy link
Collaborator

mooreds commented Aug 14, 2023

added a workaround.

@robotdan robotdan moved this from Backlog to In progress in FusionAuth Issues Aug 18, 2023
@robotdan
Copy link
Member Author

Internal:

@robotdan robotdan moved this from In progress to Code complete in FusionAuth Issues Aug 18, 2023
@robotdan robotdan moved this from Code complete to Reviewer approved in FusionAuth Issues Sep 12, 2023
@robotdan robotdan moved this from Reviewer approved to Code complete in FusionAuth Issues Oct 11, 2023
This was referenced Oct 11, 2023
Closed
Open
Open
Closed
Open
Closed
Open
Open
@robotdan robotdan added changed and removed security enhancement New feature or request labels Oct 20, 2023
@jobannon jobannon mentioned this issue Nov 6, 2023
Closed
@robotdan robotdan moved this from Code complete to Delivered in FusionAuth Issues Nov 9, 2023
@robotdan robotdan mentioned this issue Nov 10, 2023
Merged
@robotdan
Copy link
Member Author

Doc:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
changed
Projects
FusionAuth Issues
  
Delivered
Milestone
1.48.0
Development

No branches or pull requests
2 participants
@mooreds @robotdan