You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 2, 2022. It is now read-only.
Any user can sign-in using Auth0, thus get their id_token.
Using https://jwt.io/, the encoded id_token can be modified, to alter the sub field
Then the createUser(authProvider: {auth0: {idToken: $idToken}} ... mutation can be invoked with the forged id_token.
Two possible solutions I see:
allow 'authenticated' condition to allow matching user (as long as the proper Authentication Bearer idToken) is passed even if the row is not yet created in User
replace auth0: {idToken} to use JWT (as mentioned here) to validate on graph.cool proper signature
The text was updated successfully, but these errors were encountered:
Scenario is self-served portal.
Any user can sign-in using Auth0, thus get their id_token.
Using https://jwt.io/, the encoded id_token can be modified, to alter the
sub
fieldThen the
createUser(authProvider: {auth0: {idToken: $idToken}} ...
mutation can be invoked with the forged id_token.Two possible solutions I see:
The text was updated successfully, but these errors were encountered: