{
  "same_root_cause": true,
  "confidence": "high",
  "parent_trigger": {
    "entrypoint": "generic OIDC authorization-code flow via GET /auth/v1/account/oidc_get then /oidc?code=...&state=...",
    "token_delivery": "SimpleHelp exchanges code at token endpoint and receives forged id_token",
    "sink": "OIDCAuthenticator / ProxyServerAuthentication group-authenticated technician login"
  },
  "variant_trigger": {
    "entrypoint": "Azure/Entra direct ID-token flow via GET /auth/v1/account/oidc_get then POST /oidc form_post id_token",
    "token_delivery": "attacker posts forged id_token directly with server-issued state/nonce",
    "sink": "OIDCAuthenticator / ProxyServerAuthentication group-authenticated technician login"
  },
  "equivalence_basis": [
    "Both flows consume an attacker-controlled ID token at the SimpleHelp /oidc callback trust boundary.",
    "Both vulnerable flows use parsed IDToken claims for group-authenticated technician login before cryptographic signature verification.",
    "Both flows create FULLY_AUTHENTICATED technician sessions on SimpleHelp 5.5.15.",
    "Both flows are rejected by SimpleHelp 5.5.16 where IDTokenVerifier classes are present."
  ],
  "difference_basis": [
    "Parent generic OIDC uses authorization-code callback and token endpoint exchange.",
    "Variant Azure/Entra path uses response_type=id_token and response_mode=form_post, so the forged token is submitted directly to /oidc."
  ],
  "fixed_bypass": false
}
