Overview

If you:
  • Use rules to assign scopes to users based on their email addresses and
  • Your application uses multiple connections
There is a possibility that your scopes could be compromised.

How This Works

Auth0 requires that email addresses are unique on a per-connection basis. However, there are no limitations on a per-application basis. Therefore, it is possible for user A to sign up for the application using one connection and user B to sign up for the application with the same email address using a different connection. If your rules assign scopes to users based on email address, the second user has now been given the same scopes as the first user, despite being a different individual.

How do I fix this?

The most straightforward mitigation is to require users to verify their email address after signing up and before being allowed to log in.