OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys

A security researcher discovered that OneLogin's AD Connector exposed sensitive configuration data — including directory tokens, an API key, a base64 signing key used to sign JWTs, and AWS credentials — via an ADC configuration API and customer logs sent to an unclaimed S3 bucket. Using those artifacts the researcher was able to generate valid JWTs to impersonate arbitrary users in affected OneLogin tenants and access assigned applications; the researcher claimed the S3 bucket, confirmed another customer's data was leaking there, and engaged in coordinated disclosure with OneLogin while providing defensive guidance.