Dustin SchutzeichelJun 22, 2023

❗️Developers of #AzureAD multi-tenant apps with #SSO based on #OpenIDConnect should take care to use immutable claims (tid + oid) of the JWT token instead of mutable claims (email) to uniquely identify and authorize access for signed-in users. #nOAuth

https://www.descope.com/blog/post/noauth

nOAuth: How Microsoft OAuth Misconfiguration Can Lead to Full Account Takeover

This blog will cover an authentication implementation flaw Descope discovered in Microsoft Azure AD OAuth applications that, when exploited, could lead to full account takeover.

Show threadDustin Schutzeichel

Microsoft‘s guidelines for app developers can be found here:

https://learn.microsoft.com/en-us/azure/active-directory/develop/migrate-off-email-claim-authorization

Migrate away from using email claims for user identification or authorization - Microsoft Entra

Learn how to migrate your application away from using insecure claims, such as email, for authorization purposes.

Jun 22, 2023 at 6:59pmWeb