7

I'm using DotNetOpenAuth for OpenID logins. Google's provider returns a different ClaimedIdentifier depending on the realm of the caller (hostname + port).

Is it safe for me to validate a login based on the email address returned by the OpenID authentication callback vs the claimed identifier itself? i.e. is there a way a user could forge their email address and thus gain access to another user's account if we validate on the email instead of the claimed ID?

I was thinking this would be OK to do as long as the provider is trusted - i.e. we can trust Google not to allow a user to sign in using someone else's email address.

Jake Petroules
  • 23,472
  • 35
  • 144
  • 225

2 Answers2

7

The OpenID 2.0 protocol's security model is built around the Claimed Identifier -- not the email address. So the best approach is to make your Realm consistent. If you can do that, that's the best approach.

It may also be a good idea to store the email address in your user's table so that if your realm ever must change (perhaps your company is purchased by another) you'll be able to migrate your users. But if you plan to do this, you should also store what the OP Endpoint was during authentication when you received the email address so you know whether you can trust it.

Generally, it's unsafe to trust the email address at all. If you trust the Provider (Google in your case) to provide you verified email addresses, then you may trust the email addresses if you verify that it is in fact the Provider that authenticated the user. This can only be done correctly by verifying the IAuthenticationResponse.Provider.Uri value is the one you trust. It cannot be done implicitly just by only offering a "Log in with Google" button because of OpenID's "unsolicited assertions" feature, which allows users to log in with arbitrary Providers regardless of what the RP offers in its UI. And it cannot be done by checking the domain of the Claimed Identifier because of the difference between claimed and local identifiers.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • So essentially, the following logic would be secure? if provider is Google, validate auth using email, else validate auth using claimed ID – Jake Petroules Jan 29 '12 at 19:50
  • Doesn't Stack Exchange actually do this anyway, as the "my logins" dialog states "sign in using any Google, Facebook, Yahoo or Stack Exchange account with the above email"... that would imply that for those trusted providers they simply validate on the email instead of the claimed ID, and use the claimed ID for any untrusted providers. – Jake Petroules Jan 29 '12 at 19:54
  • Actually, from reading this (http://blog.stackoverflow.com/2010/04/openid-one-year-later/), that appears to be the case. – Jake Petroules Jan 29 '12 at 21:03
2

I'd verify that the claimed ID is indeed a google one before using the e-mail in my comparison. That's how StackOverflow does it, too.

Community
  • 1
  • 1
cweiske
  • 30,033
  • 14
  • 133
  • 194
  • 1
    Checking that the claimed identifier is a Google one is an important precaution, but it isn't the best one. The best one is checking the OP Endpoint that issued the assertion. – Andrew Arnott Jan 29 '12 at 14:26