bankid4keycloak icon indicating copy to clipboard operation
bankid4keycloak copied to clipboard

Published 20 hours ago verified publisher icon sweid4keycloak

Collect call must have a check that should linked with current user session

Open harikant-lftt opened this issue 11 months ago • 3 comments

Describe the bug There is slight possibility user A can get control of user B. if user A get hold of bankidRef(the value use in collect call) of User B and replace his bankidRef value with user B in collect call and somehow user B dely his BankId approval. Steps to reproduce the behavior:

  1. User A and User B both start the Authentication Process
  2. User A Take BankidRef Of B, and replace it with his own bankidRef value (this can be done using some http interceptor tools)
  3. User B delay his Bankid approval and User A approve first
  4. User A will have session of User B Expected behavior

User A should not able to gain access of User B

Screenshots NA Environment:

Any Env

Additional context

In Collect call we should add a check bankidRef must belong to current user session

harikant-lftt avatar Mar 23 '24 04:03 harikant-lftt