You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I noticed that the user creation/lookup is solely based on the name id that the IDP provides. This could cause issues if multiple IDPs return the same NameId (be it malicious or just a bad way to generate the ids). Would it be possible to provide a way to generate the user id more dynamically? My suggestion would be to allow lookup_attr[1] in auth.py:90 to be function that takes saml_auth and final_map as arguments (and possibly the provider name?). Happy to provide a PR if you agree.
I do acknowledge that IDP providers should generally be trusted, and sometimes you even want to merge accounts that different IDPs provide, but in my case I am a bit paranoid about IDPs behaving badly.
The text was updated successfully, but these errors were encountered:
I’m open to it. I’d want the current behavior to continue to be the default
but would be fine for a way to opt-in to the behavior you describe.
On Sun, Apr 11, 2021 at 2:24 PM Nigel Schuster ***@***.***> wrote:
Hi, I noticed that the user creation/lookup is solely based on the name id
that the IDP provides. This could cause issues if multiple IDPs return the
same NameId (be it malicious or just a bad way to generate the ids). Would
it be possible to provide a way to generate the user id more dynamically?
My suggestion would be to allow lookup_attr[1] in auth.py:90 to be
function that takes saml_auth and final_map as arguments (and possibly
the provider name?). Happy to provide a PR if you agree.
I do acknowledge that IDP providers should generally be trusted, and
sometimes you even want to merge accounts that different IDPs provide, but
in my case I am a bit paranoid about IDPs behaving badly.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#44>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABDSWYVGOBSFX7AGSTWNB7DTIHSMRANCNFSM42X5YJ3Q>
.
--
Julie Davila (she/her)
Co-founder and CEO
ZibaSec, Inc
https://zibasec.io
703.249.9388
Hi, I noticed that the user creation/lookup is solely based on the name id that the IDP provides. This could cause issues if multiple IDPs return the same NameId (be it malicious or just a bad way to generate the ids). Would it be possible to provide a way to generate the user id more dynamically? My suggestion would be to allow
lookup_attr[1]
in auth.py:90 to be function that takessaml_auth
andfinal_map
as arguments (and possibly the provider name?). Happy to provide a PR if you agree.I do acknowledge that IDP providers should generally be trusted, and sometimes you even want to merge accounts that different IDPs provide, but in my case I am a bit paranoid about IDPs behaving badly.
The text was updated successfully, but these errors were encountered: