<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">The linking is done in
IdentityBrokerService once the firstBrokerLogin flow is finished.
I suggest to look at sources of existing authenticators in
firstBrokerLogin and to IdentityBrokerService .<br>
<br>
Good luck,<br>
Marek<br>
<br>
On 15/09/16 02:13, Harits Elfahmi wrote:<br>
</div>
<blockquote
cite="mid:CAG_KPw1GWwt7GWmPZkwGNgQr7kDQ9PcNgjz_nrn_oSjcROQ-mA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Marek,
<div><br>
</div>
<div>Any pointer on this? I've looked through the source code,
but can't seem to find the place where it does the actual
linking. Must I replace the entire default First Broker Login
flow, or is it possible to just make some changes into some if
its authenticator?</div>
<div><br>
</div>
<div>Thanks</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-06-21 13:08 GMT+07:00 Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>You mean that if in keycloak database is already
existing user <a moz-do-not-send="true"
href="mailto:john@gmail.com" target="_blank">"john@gmail.com"</a>
and you authenticate the same user <a
moz-do-not-send="true" href="mailto:john@gmail.com"
target="_blank">"john@gmail.com"</a> with google
identity provider, you want to automatically link google
provider with this keycloak account?<br>
<br>
We didn't want to support this OOTB because of possible
security implications. For example if identity provider
doesn't verify emails, you can see security issues
similar to this:<br>
- There is user <a moz-do-not-send="true"
href="mailto:john@gmail.com" target="_blank">"john@gmail.com"</a>
in keycloak<br>
- Attacker registers the account on identity provider
side with email <a moz-do-not-send="true"
href="mailto:john@gmail.com" target="_blank">"john@gmail.com"</a>
. If identity provider doesn't verify emails, attacker
can easily do it.<br>
- Now attacker login to keycloak with identity provider
and keycloak will automatically link with the existing
keycloak account <a moz-do-not-send="true"
href="mailto:john@gmail.com" target="_blank">"john@gmail.com"</a>
. So now attacker was able to login to keycloak as user
<a moz-do-not-send="true" href="mailto:john@gmail.com"
target="_blank">"john@gmail.com"</a> because 3rd party
identity provider didn't verify emails and accounts were
linked automatically just based on emails.<br>
<br>
You can admit that this one issue doesn't exist in case
that identity provider properly verify emails. However
there are still in theory some other issues...<br>
<br>
So feel free to implement your own authenticator, which
will do the linking automatically based on email and
then configure "first broker login" flow with your
authenticator. See docs for "First broker login" and
"Authentication SPI" for more details. <br>
<br>
Also feel free to create JIRA if you really want this
OOTB. We may eventually add it if there is big
requirement for this. However we will never change the
default "first broker login" flow to behave like this
and automatically link accounts.<br>
<br>
Marek
<div>
<div class="h5"><br>
<br>
On 17/06/16 08:46, Harits Elfahmi wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">Hello,
<div><br>
</div>
<div>Currently we use google login using the
identity provider in keycloak. The first broker
login states that we must verify existing
account and then reauthenticate using user
password form. Is it possible to use the already
available executions/flows and skip the
reauthentication part? </div>
<div><br>
</div>
<div>So if the google email already exist in a
keycloak account, we allow them to login without
the form.</div>
<div><br>
</div>
<div>Or must we create a custom execution? Is it
possible using custom execution?</div>
<div>
<div><br>
</div>
<div>Thanks</div>
-- <br>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>Cheers,</div>
<div><b><br>
</b></div>
<div><b>Harits</b> Elfahmi</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
keycloak-user mailing list
<a moz-do-not-send="true" href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-user</a></pre>
</blockquote>
</div>
</blockquote></div>
<div>
</div>--
<div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Cheers,</div><div><b>
</b></div><div><b>Harits</b> Elfahmi</div></div></div></div></div>
</div>
</blockquote><p>
</p></body></html>