django-allauth Mutable Identifier Vulnerability in Okta and NetIQ Integration

A vulnerability exists in django-allauth versions prior to 65.13.0, specifically in the integration with Okta and NetIQ. These providers used 'preferred_username' as the identifier for third-party accounts, a value that can be changed and should not be relied upon for authorization. The issue has been addressed in version 65.13.0, with providers now using 'sub' as the identifier instead.

Impact

The vulnerability could lead to improper authorization decisions based on a mutable identifier, potentially allowing unauthorized access or actions on behalf of a user.

Remediation

Users of django-allauth with Okta or NetIQ integrations should update to version 65.13.0. After updating, existing SocialAccount records will need to be manually linked to the new identifier. This can be done by populating the SocialAccount.uid field with the 'sub' value from SocialAccount.extra_data, or by adjusting the SocialApp.settings to use 'preferred_username' if the security concern is deemed irrelevant.