Skip to content

Remove associate_by_email from the default social auth pipeline, which can allow for account takeovers #14946

New issue
New issue
Closed
#15206
Closed
Remove associate_by_email from the default social auth pipeline, which can allow for account takeovers#14946
#15206
Assignees
abhi1693
Labels
status: acceptedThis issue has been accepted for implementationtype: featureIntroduction of new functionality to the application
@remram44

Description

@remram44
remram44
opened on Jan 26, 2024

NetBox version

>=3.1.0 including 3.7.1

Feature type

Change to existing functionality

Proposed functionality

The default social auth pipeline used by NetBox includes associate_by_email. This is disabled by default in social auth for security reasons as it allows account takeover. Let's disable it to match social auth's defaults.

Use case

associate_by_email automatically links a new social login with any existing account that has the same email address. For example, if you allow social auth via Google and I have the superuser's email on my Google account, when I log in via Google, I am let into that superuser account.

This is safe if you are using an SSO system that validates email addresses (e.g. your company's SSO) but usually NOT for social login. Many sites will report email addresses even though they have not yet been validated.

This affected me as I use CILogon (which in turns uses a large variety of providers). It famously affects Google accounts as well (source).

Database changes

No response

External dependencies

No response

Metadata

Metadata

Assignees

Labels

status: acceptedThis issue has been accepted for implementationtype: featureIntroduction of new functionality to the application

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions