1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Messages 2.1.4 - session_selection_required is leaking PII

Issue #523 resolved
Michael Jones created an issue

Yaron Goland wrote the following:

session_selection_required is leaking PII, that the user has multiple accounts with the IDP. That's a big no no. If session selection is required then it should just be used by the IDP and call it a day.

            consent_required - This is leaking data about the user, specifically, that it's a user who hasn't previously given permission to the site. This can be used for targetted advertising and other purposes. We shouldn't be returning this error. What we need to say is "You asked for none, that a'int gonna work, try again with no restriction".

            user_mismatched- ARE YOU KIDDING ME?!?!?!?? Thanks for providing an oracle that I can use to detect if someone is who I think they are. This error needs to be GONE. Let me repeat - when you ask for none, if it doesn't work - WE DON'T TELL YOU WHY. We just tell you to try again without none. Stop leaking data!

Comments (8)

  1. Michael Jones reporter
    • changed status to open

    These errors were intended for use in immediate mode. We need a generic error saying "try again not in immediate mode" - an interactive session is required. The equivalent of the OpenID 2.0 "check setup required".

    This would replace these error codes.

    George will make a proposal.

  3. gffletch

    Recommend that we remove error responses login_required, session_selection_required, consent_required and user_mismatched. Replace these error responses with the following...

    interaction_required End-User interaction is required at the Authorization Server. This error MAY be returned when the user is required to perform some action at the Authorization server and the prompt parameter in the Authorization Request is set to none. For example, the Authorization Server may require the user to authentication before granting the authorization request.

  5. Former user Account Deleted

    The motivation for providing more specific information was to allow RPs to reason whether if the current IDP choice is the best option for the user. However, given the lack of consensus on this, i am fine with changing to 'interaction_required'.

  6. Michael Jones reporter

    We agreed to postpone this until we better understand the full session management strategy.

  7. Michael Jones reporter

    It should always be legal to return interaction_required for privacy reasons - it will be added. Based upon the circumstances of the request, some OPs may return more specific errors. We will delete user_mismatched. We may continue revising these error codes once session management is further fleshed out.

  9. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!