As currently OIDC accounts are tied to email address, this can lead to issues when changing the email of a user. Per the OIDC spec, the email claim is neither guaranteed to be stable or unique. The only reliable identifier is the sub claim.
Describe the solution you'd like.
For externally authenticated user, store an additional field to have a stable reference to the correct user. This prevents account takeovers (accidental or with malicious intent)
Describe alternatives you've considered.
There really is no other stable way to prevent hostile account takeovers in a self-service OIDC environment
tsmethurst
commented
1 year ago
Is your feature request related to a problem ?
As currently OIDC accounts are tied to email address, this can lead to issues when changing the email of a user. Per the OIDC spec, the
emailclaim is neither guaranteed to be stable or unique. The only reliable identifier is thesubclaim.Describe the solution you'd like.
For externally authenticated user, store an additional field to have a stable reference to the correct user. This prevents account takeovers (accidental or with malicious intent)
Describe alternatives you've considered.
There really is no other stable way to prevent hostile account takeovers in a self-service OIDC environment
Additional context.
Relevant OIDC spec for reference: https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability