Re: [keycloak-user] Allow google login without reauthentication

You mean that if in keycloak database is already existing user "john(a)gmail.com" and you authenticate the same user "john(a)gmail.com" with google identity provider, you want to automatically link google provider with this keycloak account? We didn't want to support this OOTB because of possible security implications. For example if identity provider doesn't verify emails, you can see security issues similar to this: - There is user "john(a)gmail.com" in keycloak - Attacker registers the account on identity provider side with email "john(a)gmail.com" . If identity provider doesn't verify emails, attacker can easily do it. - Now attacker login to keycloak with identity provider and keycloak will automatically link with the existing keycloak account "john(a)gmail.com" . So now attacker was able to login to keycloak as user "john(a)gmail.com" because 3rd party identity provider didn't verify emails and accounts were linked automatically just based on emails. You can admit that this one issue doesn't exist in case that identity provider properly verify emails. However there are still in theory some other issues... So feel free to implement your own authenticator, which will do the linking automatically based on email and then configure "first broker login" flow with your authenticator. See docs for "First broker login" and "Authentication SPI" for more details. Also feel free to create JIRA if you really want this OOTB. We may eventually add it if there is big requirement for this. However we will never change the default "first broker login" flow to behave like this and automatically link accounts. Marek On 17/06/16 08:46, Harits Elfahmi wrote: