<div dir="ltr"><div>Hi!</div><div><br></div><div>This would be really useful!</div><div><br></div><div>In my opinion email addresses should be enforced also when using identity providers and the email address originates from, for example, Google. Combined with whitelisting you could then restrict users to a specific Google Apps domain(s).</div><div><br></div><div>Best regards,</div><div>Thomas</div><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 24, 2016 at 12:49 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1 to create JIRA for it and have it somehow available OOTB.<br>
<br>
As you mentioned, you can already customize registration flow and add<br>
custom validation. But ATM this doesn't apply for account updates. So if<br>
attacker registers with some "valid" email, but then login to account<br>
management and change email to "<a href="mailto:evil@blacklisted.com">evil@blacklisted.com</a>" the validation<br>
won't be applied.<br>
<br>
Also the validation won't be applied to users registered through social,<br>
so if you have "review profile" enabled, the attacker can register with<br>
some valid facebook account, but then change email to<br>
"<a href="mailto:evil@blacklisted.com">evil@blacklisted.com</a>" on the ReviewProfile page. This can be catched<br>
again by creating custom authenticator for firstBrokerLogin flow. Bad<br>
thing is, that you need separate validator for registration and separate<br>
for social (and still the account update is not handled)<br>
<br>
AFAIK we have JIRA to allow easily configure set of validators for some<br>
fields, when validator will be applied to all of 3 usecases like:<br>
- registration<br>
- account update<br>
- update profile required action (applies to reviewProfile after social too)<br>
<br>
This will allow that you for example, you can specify regex for<br>
"birthDay" field in one place in Keycloak admin console and the same<br>
validator for "birthDay" field will be applied in all 3 places. We can<br>
have same type of validator for email blacklisting/whitelisting IMO.<br>
<span class="HOEnZb"><font color="#888888"><br>
Marek<br>
</font></span><span class="im HOEnZb"><br>
<br>
On 24/02/16 11:00, Vlastimil Elias wrote:<br>
> Hi,<br>
><br>
> Is there this feature (i was not able to find it) in Keycloak or is it<br>
> planned (I was not able to find it in JIRA)?<br>
><br>
> It is extremely useful (mainly blacklisting) in some cases. Eg.<br>
> yesterday we fought spammers in one of our public systems. Spammers<br>
> registered lots of new users using disposable email service and then<br>
> used them to create spam content. We blacklisted domains used by the<br>
> disposable email service from registration, which stopped spammers<br>
> immediately.<br>
> We do not use Keycloak there yet, but maybe in future. Current system we<br>
> use has blacklisting available OOTB.<br>
><br>
> Registration email whitelisting may be useful if you create service for<br>
> eg. your employees only, and want them to register there with company<br>
> emails only.<br>
><br>
> I think it should be possible to add new step into "Registration" flow<br>
> to perform this blacklisting, we can do it yourself probably, but it<br>
> should be cool to have this very useful feature present in the Keycloak<br>
> out of the box.<br>
><br>
> WDYT about this feature, can I create jira feature request for it?<br>
><br>
> Vlastimil<br>
><br>
<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
</div></div></blockquote></div><br><br>
</div></div>