Everything you need to know about the nOAuth Microsoft Azure AD vulnerability

The nOAuth vulnerability in Microsoft Azure AD OAuth applications allows an attacker to completely take over a user's account by exploiting a flaw in the implementation of the `email` claim, which is used as a unique identifier. This occurs when a third-party application uses the mutable and unverified `email` claim without proper validation or verification processes. To mitigate this vulnerability, Microsoft has introduced two new claims to improve security, while developers are advised to never use the `email` claim for authentication or authorization decisions and instead rely on the `sub` claim as the unique identifier for users. Additionally, some companies like WorkOS have implemented email verification processes to prevent such vulnerabilities.