Lmst
Login

#noauth

Eric Woodruff [MS MVP] :donor:ericonidentity@infosec.exchange
2025-06-29

Going right from @WEareTROOPERS in Heidelberg to @fwdcloudsec in Denver ✈️ - from one excellent conference to another!

I’m looking forward to speaking Monday @ 2:00pm in track 1 on the dangers of #nOAuth, with some new and tweaked slides and talking points!

#Entra #EntraID #infosec #cybersecurity #mvpbuzz

A photo taken from a train, near Heidelberg Germany, of a crop field with some brown green grass and a hazy blue sky with a tint of orange from the sunrise. There is a reflection on the window of myself somewhat from inside the train car.
Eric Woodruff [MS MVP] :donor:ericonidentity@infosec.exchange
2025-06-25

At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications.

The attack is still alive and well.

You can read all about it here:

#Entra #M365 #infosec

semperis.com/blog/noauth-abuse

Dustin SchutzeichelCloudProtectNinja@infosec.exchange
2023-06-22

❗️Developers of #AzureAD multi-tenant apps with #SSO based on #OpenIDConnect should take care to use immutable claims (tid + oid) of the JWT token instead of mutable claims (email) to uniquely identify and authorize access for signed-in users. #nOAuth

descope.com/blog/post/noauth

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst