User's mail should definitely not be taken from the "email" field in OAuth response
See original GitHub issueHey folks, hope y’all doing well.
In this code snippet, the mail of a new user is taken from the field email
in the OAuth response.
This is really dangerous and should definitely not be done this way! The email
field can be set by the tenant administrator and does not necessarily represent the actual user’s mail. Please, take the upn
field from the response. It actually represents an unique username
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Google OAuth API to get user's email address? - Stack Overflow
I came here looking why my server did not get email in response to /oauth2/v2/userinfo api call. It was only once that I...
Read more >The complete guide to protecting your APIs with OAuth2 (part 1)
Below I will discuss the core standards you should know, but be aware that not every IdP implements every standard within the OAuth...
Read more >End User Authentication with OAuth 2.0
This assumption turns out to be true in some cases, where the token was freshly minted in the context of a user being...
Read more >Imapsync, OAuth2, Google, Office365 – Burke IT Blog
Remind them that if anyone but you asks them to do something like this, they absolutely should not do it, because they will...
Read more >Using OAuth 2.0 for Web Server Applications | Authorization
That request sets parameters that identify your application and define the permissions that the user will be asked to grant to your application....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Ideally (for full AD support), the Microsoft / Django field mappings should be configurable. As previously stated elsewhere, this package was only really designed for the common tenant (Microsoft accounts).
With MICROSOFT_AUTH_AUTO_CREATE = False , It seems it doesn’t create a microsoft auth token in admin when I have a matching email address.