Get remediation support for nOAuth

In June 2023, Descope disclosed an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications. If you believe your app is impacted, fill in the form and our security team will reach out to you.

Understanding nOAuth

If an app uses “Log in with Microsoft” as an authentication method and chooses the “email” claim as the unique identifier for the user, attackers can exploit this implementation and perform account takeover. Learn how the attack works, its impact, and remediation guidelines below.

Learn more

nOAuth demo video

Watch this 3-min demo video to see how nOAuth can be exploited to perform account takeover on any app that incorrectly implements "Log in with Microsoft".

More resources

Microsoft advisory

Microsoft has introduced two new claims that developers can use to redact emails that come from non-verified domains.

Microsoft guidance

Following Descope’s disclosure, Microsoft has published a dedicated page on claims validation with strong developer guidance.

Descope guidance

If you are a Descope customer – or are curious about how Descope can help you fix this configuration issue quickly – check out our developer blog below.

Frequently asked questions

In Microsoft Azure AD, the “email” claim returned is mutable and unverified so it cannot be trusted. This means a bad actor can change the Email attribute under “Contact Information” in their Azure AD account to impersonate any victim.

The attacker can then use “Login with Microsoft'' with the email address of their victim. For any app that uses “email” as the unique identifier for Microsoft OAuth, the attacker can perform full account takeover and completely bypass authentication.

Moreover, if an app erroneously merges the attacker’s account with the legitimate user’s account, it can hand full control of the user account over to the attacker, even if the user doesn’t have a Microsoft account.

Following Descope’s disclosure to Microsoft about the issue, they have updated their documentation and have a dedicated section on Claims Validation. This section gives developers all the information they need while implementing authentication.

Microsoft is also introducing two new claims to mitigate cases when nOAuth is used for cross-tenant spoofing. These features will enable apps to verify whether an email claim contains a domain-verified email address and redact email claims when the email domain is unverified. You can learn more in this advisory blog.

We cannot say for sure. We tested nOAuth on most major authentication platforms and found that two platforms merged the accounts without further validation, leading to full account takeover. The two providers in question quickly acknowledged and fixed the issue when we informed them.

We recommend asking your authentication provider how they handle account merging when “Login with Microsoft” is used. You can also fill in the form on this page to reach out to our security team.

If your app uses “Log in with Microsoft” and uses the “email” claim as the unique identifier, an attacker will be able to exploit it with any victim’s email address and perform account takeover.

The “sub” (Subject) claim should be used as the unique identifier for the user. To learn how Descope handles account merging when “Log in with Microsoft” is used, read this developer blog.

You can also use the two new claims introduced by Microsoft to explicitly indicate whether an email claim is from a domain-verified email and redact the email claim if needed, allowing full flexibility for developers with relevant use cases.