Timeline for Adding SSO to an existing website - should SSO login link to matching email address?
Current License: CC BY-SA 4.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 1, 2022 at 20:34 | comment | added | Jordan Rieger | I accepted this answer because I think it outlines some valid concerns, but I think they are fairly easily mitigated, and the ad-hoc SSO linkage I describe is probably feasible from a security standpoint. | |
| Apr 1, 2022 at 20:31 | vote | accept | Jordan Rieger | ||
| Jan 17, 2024 at 0:13 | |||||
| Mar 31, 2022 at 19:10 | history | bounty awarded | Jordan Rieger | ||
| Mar 29, 2022 at 19:52 | comment | added | Jordan Rieger | Would you agree that these concerns are mitigated if the website verifies email addresses when it creates new non-SSO accounts? E.g. if when creating an account using "[email protected]", the site requires the user to click a verification link sent to that address, then only someone with access to the canonical address at GMail is going to be able to complete account setup, and an attacker cannot pre-create an account to link with SSO later. | |
| Mar 28, 2022 at 10:19 | history | answered | user251894 | CC BY-SA 4.0 |