Prevent login overrides with SSO feature
e
eriskhan
The new SSO feature of Strapi is great and it has it's pros - however, also cons. And the biggest con is that it's possible for intruder to access another user's account by creating an account on some provider with an e-mail of such admin user. For example, let's say you have two provider: Google and Sign in with Apple. An admin panel user has an Apple ID, but doesn't have a Google account. An intruder wants to access the system and knows an email of the user. He creates a Google account with an e-mail address of a user. Then he logs in to the admin panel without any problems under that user's account and gains access to the data in Strapi.
R
Rodrigo Rubio
Considering that SSO is an enterprise feature, this should be fixed as a matter of urgency. Risks are loosing potential clients to bugs like this, and how long its taken to patch.