Get remediation support for nOAuth

In June 2023, Descope disclosed an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications. If you believe your app is impacted, fill in the form and our security team will reach out to you.

dark background image for section

Understanding nOAuth

If an app uses “Log in with Microsoft” as an authentication method and chooses the “email” claim as the unique identifier for the user, attackers can exploit this implementation and perform account takeover. Learn how the attack works, its impact, and remediation guidelines below.

nOAuth demo video

Watch this 3-min demo video to see how nOAuth can be exploited to perform account takeover on any app that incorrectly implements "Log in with Microsoft".

More resources

Microsoft advisory

Microsoft has introduced two new claims that developers can use to redact emails that come from non-verified domains.

Microsoft guidance

Following Descope’s disclosure, Microsoft has published a dedicated page on claims validation with strong developer guidance.

Descope guidance

If you are a Descope customer – or are curious about how Descope can help you fix this configuration issue quickly – check out our developer blog below.

Frequently asked questions