Closed jsherm-fwdsec closed 1 month ago
elarlang
commented
1 month ago The second requirement goes to V51.4 OAuth Resource Server via #2140
| # | Description | L1 | L2 | L3 |
|---|---|---|---|---|
| 51.4.4 | [ADDED] Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that can not be reassigned to other users. Typically it means using a combination of 'iss' and 'sub' claims. | ✓ | ✓ | ✓ |
elarlang
commented
1 month ago We have now two requirements in, but feels like one topic requires some spin-off from here.
@randomstuff - please recheck it, and if the "user idenfitication" issue requires a separate issue, please open it.
elarlang
commented
1 month ago We have now two requirements in, but feels like one topic requires some spin-off from here.
@randomstuff - please recheck it, and if the "user idenfitication" issue requires a separate issue, please open it.
It has it's own issue now: https://github.com/OWASP/ASVS/issues/2150 and we can close this one out.
Usage of claims other than the subject and issuer identifier to uniquely identify an end user in OpenID Connect is non-compliant with the framework. As per a recent Microsoft report, there is a false identifier anti-pattern being followed and exploited in the wild resulting in account takeover.
To keep it simple, the sub (subject) and iss (issuer) claims, when used together, are considered to be a unique primary identifier for OIDC, as the uniqueness across users is guaranteed. Other claims such as email, username or phone number should not be used, as they can change over time and an attacker can falsify these claims.
I'm interested in contributing and happy to create a PR for this, as well as adding other OIDC requirements. Perhaps this is something I can help with as part of the OAuth2 changes being discussed here ?