The Authentication component is new to Drupal 8 and has several documented bugs.
Once the known bugs and API is in a reasonable state it should be security audited prior to a release candidate as well has writing documentation on the security model.
This issue is blocked on 🌱 [meta] Finalize Session and User Authentication API Active .
Active
11.0 🔥
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
