Login invited users with correct account when using e-ID about citizenos-api HOT 4 CLOSED

Wait, so essentially we're logging a user into an account, that they did not provide credentials for. I understand, that the user actually intends to log into A2 in this case. But if they provide credentials for A1 and get into A2, doesn't that open up some avenues of attack? It seems a bit fishy, but maybe it's not. I can't come up with an immediate attack vector. @tiblu, can you?

from citizenos-api.

@loorm nope, this is not the case. Both accounts are linked with users personal ID, And this login method is also listed under users available login methods when they click on invite link and are prompted to login. This will not be implemented for any e-mail based authentication methods.

from citizenos-api.

Wait, so essentially we're logging a user into an account, that they did not provide credentials for. I understand, that the user actually intends to log into A2 in this case. But if they provide credentials for A1 and get into A2, doesn't that open up some avenues of attack? It seems a bit fishy, but maybe it's not. I can't come up with an immediate attack vector. @tiblu, can you?

IF A1 is created using e-ID login,
IF A2 has UserConnection because they used e-ID signing while being logged into account A2,
THEN I see no problem in the described implementation as the User has basically used their e-ID to claim the account or show access to that account.

Also is it true that you CANNOT have n+1 EID UserConnections per account (user ID)? @ilmartyrk

from citizenos-api.

@loorm @tiblu your description is correct. User has multiple accounts connected with e-ID. One account can only have ONE EID UserConnection.

from citizenos-api.