The linking is done in IdentityBrokerService once the firstBrokerLogin flow is finished. I suggest to look at sources of existing authenticators in firstBrokerLogin and to IdentityBrokerService .

Good luck,
Marek

On 15/09/16 02:13, Harits Elfahmi wrote:
Hi Marek,

Any pointer on this? I've looked through the source code, but can't seem to find the place where it does the actual linking. Must I replace the entire default First Broker Login flow, or is it possible to just make some changes into some if its authenticator?

Thanks

2016-06-21 13:08 GMT+07:00 Marek Posolda <mposolda@redhat.com>:
You mean that if in keycloak database is already existing user "john@gmail.com" and you authenticate the same user "john@gmail.com" with google identity provider, you want to automatically link google provider with this keycloak account?

We didn't want to support this OOTB because of possible security implications. For example if identity provider doesn't verify emails, you can see security issues similar to this:
- There is user "john@gmail.com" in keycloak
- Attacker registers the account on identity provider side with email "john@gmail.com" . If identity provider doesn't verify emails, attacker can easily do it.
- Now attacker login to keycloak with identity provider and keycloak will automatically link with the existing keycloak account "john@gmail.com" . So now attacker was able to login to keycloak as user "john@gmail.com" because 3rd party identity provider didn't verify emails and accounts were linked automatically just based on emails.

You can admit that this one issue doesn't exist in case that identity provider properly verify emails. However there are still in theory some other issues...

So feel free to implement your own authenticator, which will do the linking automatically based on email and then configure "first broker login" flow with your authenticator. See docs for "First broker login" and "Authentication SPI" for more details.

Also feel free to create JIRA if you really want this OOTB. We may eventually add it if there is big requirement for this. However we will never change the default "first broker login" flow to behave like this and automatically link accounts.

Marek


On 17/06/16 08:46, Harits Elfahmi wrote:
Hello, 

Currently we use google login using the identity provider in keycloak. The first broker login states that we must verify existing account and then reauthenticate using user password form. Is it possible to use the already available executions/flows and skip the reauthentication part? 

So if the google email already exist in a keycloak account, we allow them to login without the form.

Or must we create a custom execution? Is it possible using custom execution?

Thanks
--
Cheers,

Harits Elfahmi


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Cheers,
Harits Elfahmi