Standardized Authentication Error Responses and New Error Code AUTH-3001

Context

User enumeration is a security vulnerability that lets an attacker determine whether a username (or account) exists in a system. This can occur when the system returns different error messages for cases such as valid username, invalid username, locked user, or disabled user. These variations unintentionally expose account information. To prevent this, return a generic error message for all authentication failures.

Issue identification

A third-party security assessment identified user enumeration vulnerability in an Oracle Cloud endpoint. Differing error messages reveal whether a username is valid. This high-severity issue requires prompt remediation. Standardize error responses and implement safeguards to prevent misuse.

Mitigation

To address this issue, OCI IAM has standardized authentication error responses. As part of this change, specific error messages and codes such as FEDERATED_USER, USER_NOTFOUND, USER_DISABLED_RESPONSE, and USER_NOT_ACTIVE_RESPONSE have been standardized and replaced with a generic error response: INVALID_CREDENTIALS.

Customer action

Update your applications to handle the generic error response: INVALID_CREDENTIALS and new error code AUTH-3001.