1
Vote

Attempting to Add Ext Login which already exists for another user results in auto-logging in as other user

description

MVC4 with latest available OAuth libraries

Repro
  1. Register UserA
  2. Register UserB
  3. Logged in as UserB add a Google Login
  4. Log Off UserB
  5. Login as User A
  6. Logged in as UserA attempt to add same Google credentials as used in UserB
Result
When adding external credentials to a user account when those external credentials already exist in the membership repository for another user will automatically log the current user off and on as the other user.

Expected
I would expect an error stating the external credentials could not be associated with the current account because they exist for another account.

comments

damianedwards wrote Sep 27, 2012 at 6:17 PM

To be clear, the designed behavior is it logs UserB in because the credential exists and the login succeeds because the credential is already satisfied (UserB actually has a valid Google auth cookie present in the browser).

So, there is no security issue here, as you're still required to actually log in with the external provider. The code that does this is actually in the template so can be changed directly in the app.

Toddca wrote Sep 27, 2012 at 6:27 PM

Thanks I believe I have a fix (err change in behavior), just place this bit of code just before the OAuthWebSecurity.Login line:

if (User.Identity.IsAuthenticated)
        {
            var userName = OAuthWebSecurity.GetUserName(result.Provider, result.ProviderUserId);

            if( !String.IsNullOrEmpty(userName) && 
                String.Compare(userName, User.Identity.Name, true, CultureInfo.InvariantCulture) != 0)
            {
                return RedirectToAction(MVC.Account.ExternalLoginFailure());
            }
        }

Toddca wrote Sep 27, 2012 at 6:31 PM

The reason I don't like this behavior is UserA was attempting to add an additional credential - eg, that was his or her intent or request of the system. The system responded by not adding the additional credential, logging UserA off, Logging UserB on, and then not telling the user what just transpired on their behalf.

Sign in to add a comment or to set email notifications