Cyberwarzone

What is OpenID Connect (OIDC)? — Explainer tied to CVE-2025-54603

by

Elles De Yeager
in
Summarize with:



OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It provides a standard way for an application to verify a user’s identity using an external identity provider (IdP). The IdP issues an ID token — typically a signed JSON Web Token (JWT) — that asserts who the user is and includes claims such as iss (issuer), sub (subject), aud (audience), exp (expiration) and iat (issued-at).

Typical flow and responsibilities

  • Actors: the client (application), the identity provider (IdP), and the resource or relying party (application server).
  • Process: the client directs the user to the IdP to authenticate; the IdP returns an ID token (and usually an access token) to the client. The relying party accepts the ID token as proof of identity only after validating it.

Essential validation steps (server-side)

  • Verify the token signature against the IdP’s public keys.
  • Confirm iss equals the configured IdP URL and aud contains the expected client id.
  • Confirm exp has not passed and iat is reasonable.
  • Verify nonce when the flow requires it and enforce exact redirect_uri matching during authorization.
  • Treat access tokens and ID tokens as different artifacts: validate each according to its purpose and do not assume an access token implies identity verification.

Common implementation errors

  • Accepting unsigned or improperly signed tokens (including alg: none).
  • Failing to check iss/aud claims or accepting tokens from untrusted issuers.
  • Allowing weak redirect_uri matching (partial matches or wildcards).
  • Using client-supplied parameters as identity without validating token provenance.

CVE-2025-54603 (Claroty SRA) — factual link

CVE-2025-54603 is an authentication-bypass vulnerability in Claroty Secure Remote Access (SRA) affecting versions reported as 3.3.0 through 4.0.2. Public summaries attribute the root cause to an incorrect implementation of the OIDC authentication flow.

Reporting states the flaw allowed unauthenticated actors to create administrative users or impersonate OIDC users and to bypass multi-factor authentication in some configurations. Researchers described the exploit as reliable once the specific fields to manipulate were known.

Mitigation stated in advisories

Public advisories and the NVD record indicate the vendor patch is the required mitigation. Reports note that disabling OIDC alone did not remove the vulnerability.

Sources and evidence

  • NVD CVE-2025-54603: https://nvd.nist.gov/vuln/detail/CVE-2025-54603
  • Limes Security write-up: https://limessecurity.com/en/breaching-the-ot-perimeter-authentication-bypass-in-claroty-secure-remote-access-cve-2025-54603/
  • Cyberwarzone coverage: https://cyberwarzone.com/2025/10/31/critical-authentication-bypass-vulnerability-patched-in-claroty-sra-products/
  • OpenID Connect Core 1.0: https://openid.net/specs/openid-connect-core-1_0.html
  • OAuth 2.0 (RFC 6749): https://datatracker.ietf.org/doc/html/rfc6749