Jitsi Meet's JWT doc describes the context.token.id claim as an opaque user identifier, and gives a UUID as an example.
However, jitsi-openid uses the OpenID preferred_username claim as the default Jitsi user ID claim (context.user.id), falling back to the sub claim if preferred_username is not present:
|
let uid = match claims.preferred_username() { |
|
Some(name) => name.to_string(), |
|
None => claims.subject().to_string(), |
|
}; |
Per the OpenID Connect Core 1.0 specification, section 5.7 (emphasis added):
The sub (subject) and iss (issuer) Claims from the ID Token, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim.
All other Claims carry no such guarantees across different issuers in terms of stability over time or uniqueness across users, and Issuers are permitted to apply local restrictions and policies. For instance, an Issuer MAY re-use an email Claim Value across different End-Users at different points in time, and the claimed email address for a given End-User MAY change over time. Therefore, other Claims such as email, phone_number, preferred_username, and name MUST NOT be used as unique identifiers for the End-User, whether obtained from the ID Token or the UserInfo Endpoint.
And per section 5.1 (emphasis added):
preferred_username
Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
As preferred_username has no guarantees of stability or uniqueness, it is incorrect to pass it as a unique user identifier to Jitsi.
Depending on how Jitsi uses the id value, this may allow a malicious user to impersonate others or hijack accounts1.
Jitsi Meet's JWT doc describes the
context.token.idclaim as an opaque user identifier, and gives a UUID as an example.However,
jitsi-openiduses the OpenIDpreferred_usernameclaim as the default Jitsi user ID claim (context.user.id), falling back to thesubclaim ifpreferred_usernameis not present:jitsi-openid/src/routes.rs
Lines 234 to 237 in eb7b9d7
Per the OpenID Connect Core 1.0 specification, section 5.7 (emphasis added):
And per section 5.1 (emphasis added):
As
preferred_usernamehas no guarantees of stability or uniqueness, it is incorrect to pass it as a unique user identifier to Jitsi.Depending on how Jitsi uses the
idvalue, this may allow a malicious user to impersonate others or hijack accounts1.Footnotes
I have not tested the security impact of this issue. ↩