Description
Currently, when a login request containing a valid username (email address) is received for a user who is a member of more than one organization and the request does not include an organization name, the authorization service will return a 300 response code (the request has more than one possible response).
Login requests which do not contain a valid username receive a 401 (unauthorized) response.
This information could be used to harvest email addresses for further exploitation (e.g. phishing or brute force attacks).
The change is to provide a 401 (unauthorized) response instead of a 300 response for all login requests where the user is a member of multiple organizations, if the organization name is not included with the request.
Change Category
Informational
API
Change Context
Adherence to security best practices.
Change Impact
All login requests for users who are members of multiple organizations will receive a 401 (unauthorized) response, if the organization name is not included with the request.
These users would have previously been prompted to enter an organization name but will now be prompted that their organization name, email address, or password may be invalid, and must infer that the failure was due to the omission of the organization name.
Users in a single organization who enter invalid credentials will be prompted with the same failure message, and must infer that the failure was not due to the organization name.
Date of Change
March 11, 2024 (updated from Feb 21st, 2024)
Impacted APIs
This change is limited to the login UI and the APIs that it uses to interact with the auth server.
References
[IAM-2214]