Bind OAuth account to an existing account and unauthorized access may happend now #4732
Comments
|
This is obviously an issue that could lead to unauthorized access. the normal logic is that users link their social media accounts (OAuth 2.0), but now the system is directly matching usernames. For example, if someone on GitHub has a username called “vscode,” and a user on my Memos instance also has the username “vscode,” even if these two accounts are unrelated, the GitHub user named “vscode” would still be able to log in to the Memos instance. This constitutes unauthorized access. The developers may not have considered this possibility. |
@panluoyant Account linking is a separate topic and requires more time and effort to implement. In Memos, SSO is added by administrators and includes the optional identity filter to prevent unauthorized users. So I don't think this a "security" issue. |
However, you cannot ensure that these single sign-on (SSO) sources and the memos instance do not use the same username. Normally, the logic of binding social accounts is essential. |
Describe the solution you'd like
Memos has added OAuth support, which is great, but I found that I couldn't bind a custom/built-in OAuth service to an existing service through settings.
If the username is the same, it will automatically log in to the existing service with the same username. Here is actually an issue. If the username happens to be the same, could it lead to unauthorized access? Therefore, it is necessary to implement a way for users to bind OAuth services to existing accounts.
Type of feature
Integrations
Additional context
No
The text was updated successfully, but these errors were encountered: