top | item 42708442

(no title)

nodamage | 1 year ago

If I'm understanding your comment correctly there are three different ways to connect Google SSO to your application:

1. SAML. This avoids the issue because certificates need to be exchanged between Google and your application, but an attacker that recreates a duplicate workspace using your domain won't have access to those certificates. Only users from your workspace will be allowed to login.

2. A custom Google OIDC IdP configured for internal access only. This also avoids the issue because a secret key is required to set this up and the attacker won't have access to that key. Again, only users from your workspace will be allowed to login.

3. The public Google OAuth API which will allow any Google user from any workspace (or non-workspace users) to login to your application.

Is this correct?

discuss

nodamage|1 year ago

Assuming the above is correct, if you decide to connect Google SSO to your application using option (3), then it is not a vulnerability that a Google account from a different workspace can connect to your application, because the entire point of option (3) is that users with any Google account (regardless of workspace) can connect to your application.

If you intended to restrict your application to users of your own workspace then you should have used option (1) or (2).