Description
The OpenID Connect module provides OpenID Connect authentication for Drupal 7 sites, allowing users to authenticate using external identity providers. The module includes a prompt parameter configuration that controls how the OpenID Connect provider handles authentication requests.
The module introduced a prompt parameter configuration field that allows administrators to specify prompt values (none, login, consent, select_account) to be sent to the OpenID Connect provider. However, the prompt parameter validation and implementation contains security considerations that could potentially weaken authentication security if misconfigured.
The prompt parameter is used to control the authentication behavior of the OpenID Connect provider. The "none" prompt value instructs the provider to not display any authentication or consent user interface pages, which could potentially bypass certain authentication requirements if the provider is configured to allow this behavior.
This vulnerability is mitigated by the fact that the prompt parameter is only configurable by site administrators, and the module includes validation to prevent the "none" prompt from being combined with other prompt values. Additionally, the security impact depends on the configuration of the external OpenID Connect provider and whether it respects the prompt parameter in a way that could weaken security.
Solution
Install the latest version.
If you use the OpenID Connect module for Drupal 7, upgrade to OpenID Connect 7.x-1.5:
Reported by
Fixed by
Coordinated by
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Tag1 D7ES