Tinyauth OIDC Token Endpoint Client ID Validation Vulnerability

A vulnerability exists in Tinyauth versions prior to 5.0.3, where the OIDC token endpoint fails to verify that the client exchanging an authorization code is the same one to which the code was originally issued. This oversight allows a malicious OIDC client operator to use their own client credentials to exchange another client's authorization code for tokens, thereby obtaining access for users who did not authorize their application. This issue violates RFC 6749 Section 4.1.3.

Impact

Exploitation of this vulnerability allows for unauthorized token acquisition, enabling user impersonation across OIDC clients on the same Tinyauth instance.

Reproduction

To reproduce this vulnerability, log in as a user and authorize with Client A to obtain an authorization code. Then, exchange Client A's code using Client B's credentials at the OIDC token endpoint. This will result in receiving access tokens for a user who only authorized Client A.

Remediation

Users are advised to update Tinyauth to version 5.0.3 or later.