7:16 a.m.
Hi,
you are right, it should be better to have common set of
blacklisted/whitelisted domains for all user profile related actions
(register, update profile), so it is similar as user profile attribute
validation. But as it is not a common validation I'll create new Feature
Request in jira for this (and probably link it to the common user
attribute validation jira).
Thanks everybody in this thread for their opinion.
Vlastimil
On 24.2.2016 11:49, Marek Posolda wrote:
+1 to create JIRA for it and have it somehow available OOTB.
As you mentioned, you can already customize registration flow and add
custom validation. But ATM this doesn't apply for account updates. So
if attacker registers with some "valid" email, but then login to
account management and change email to "evil(a)blacklisted.com" the
validation won't be applied.
Also the validation won't be applied to users registered through
social, so if you have "review profile" enabled, the attacker can
register with some valid facebook account, but then change email to
"evil(a)blacklisted.com" on the ReviewProfile page. This can be catched
again by creating custom authenticator for firstBrokerLogin flow. Bad
thing is, that you need separate validator for registration and
separate for social (and still the account update is not handled)
AFAIK we have JIRA to allow easily configure set of validators for
some fields, when validator will be applied to all of 3 usecases like:
- registration
- account update
- update profile required action (applies to reviewProfile after
social too)
This will allow that you for example, you can specify regex for
"birthDay" field in one place in Keycloak admin console and the same
validator for "birthDay" field will be applied in all 3 places. We can
have same type of validator for email blacklisting/whitelisting IMO.
Marek
On 24/02/16 11:00, Vlastimil Elias wrote:
> Hi,
>
> Is there this feature (i was not able to find it) in Keycloak or is it
> planned (I was not able to find it in JIRA)?
>
> It is extremely useful (mainly blacklisting) in some cases. Eg.
> yesterday we fought spammers in one of our public systems. Spammers
> registered lots of new users using disposable email service and then
> used them to create spam content. We blacklisted domains used by the
> disposable email service from registration, which stopped spammers
> immediately.
> We do not use Keycloak there yet, but maybe in future. Current system we
> use has blacklisting available OOTB.
>
> Registration email whitelisting may be useful if you create service for
> eg. your employees only, and want them to register there with company
> emails only.
>
> I think it should be possible to add new step into "Registration" flow
> to perform this blacklisting, we can do it yourself probably, but it
> should be cool to have this very useful feature present in the Keycloak
> out of the box.
>
> WDYT about this feature, can I create jira feature request for it?
>
> Vlastimil
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team