<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">You mean that if in keycloak database
is already existing user <a class="moz-txt-link-rfc2396E" href="mailto:john@gmail.com">"john@gmail.com"</a> and you authenticate the
same user <a class="moz-txt-link-rfc2396E" href="mailto:john@gmail.com">"john@gmail.com"</a> with google identity provider, you want
to automatically link google provider with this keycloak account?<br>
<br>
We didn't want to support this OOTB because of possible security
implications. For example if identity provider doesn't verify
emails, you can see security issues similar to this:<br>
- There is user <a class="moz-txt-link-rfc2396E" href="mailto:john@gmail.com">"john@gmail.com"</a> in keycloak<br>
- Attacker registers the account on identity provider side with
email <a class="moz-txt-link-rfc2396E" href="mailto:john@gmail.com">"john@gmail.com"</a> . If identity provider doesn't verify
emails, attacker can easily do it.<br>
- Now attacker login to keycloak with identity provider and
keycloak will automatically link with the existing keycloak
account <a class="moz-txt-link-rfc2396E" href="mailto:john@gmail.com">"john@gmail.com"</a> . So now attacker was able to login to
keycloak as user <a class="moz-txt-link-rfc2396E" href="mailto:john@gmail.com">"john@gmail.com"</a> because 3rd party identity
provider didn't verify emails and accounts were linked
automatically just based on emails.<br>
<br>
You can admit that this one issue doesn't exist in case that
identity provider properly verify emails. However there are still
in theory some other issues...<br>
<br>
So feel free to implement your own authenticator, which will do
the linking automatically based on email and then configure "first
broker login" flow with your authenticator. See docs for "First
broker login" and "Authentication SPI" for more details. <br>
<br>
Also feel free to create JIRA if you really want this OOTB. We may
eventually add it if there is big requirement for this. However we
will never change the default "first broker login" flow to behave
like this and automatically link accounts.<br>
<br>
Marek<br>
<br>
On 17/06/16 08:46, Harits Elfahmi wrote:<br>
</div>
<blockquote
cite="mid:CAG_KPw2F_LZXk6MWCjqit1rCQfb3NshfKkz7at556iBSax-LMg@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>Currently we use google login using the identity provider
in keycloak. The first broker login states that we must verify
existing account and then reauthenticate using user password
form. Is it possible to use the already available
executions/flows and skip the reauthentication part? </div>
<div><br>
</div>
<div>So if the google email already exist in a keycloak account,
we allow them to login without the form.</div>
<div><br>
</div>
<div>Or must we create a custom execution? Is it possible using
custom execution?</div>
<div>
<div><br>
</div>
<div>Thanks</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>