Any pointer on this? I've looked through the source code, but can't seem to
find the place where it does the actual linking. Must I replace the entire
default First Broker Login flow, or is it possible to just make some
changes into some if its authenticator?
2016-06-21 13:08 GMT+07:00 Marek Posolda <mposolda(a)redhat.com>:
You mean that if in keycloak database is already existing user
"john(a)gmail.com" <john(a)gmail.com> and you authenticate the same user
"john(a)gmail.com" <john(a)gmail.com> with google identity provider, you
to automatically link google provider with this keycloak account?
We didn't want to support this OOTB because of possible security
implications. For example if identity provider doesn't verify emails, you
can see security issues similar to this:
- There is user "john(a)gmail.com" <john(a)gmail.com> in keycloak
- Attacker registers the account on identity provider side with email
"john(a)gmail.com" <john(a)gmail.com> . If identity provider doesn't
emails, attacker can easily do it.
- Now attacker login to keycloak with identity provider and keycloak will
automatically link with the existing keycloak account "john(a)gmail.com"
<john(a)gmail.com> . So now attacker was able to login to keycloak as user
"john(a)gmail.com" <john(a)gmail.com> because 3rd party identity provider
didn't verify emails and accounts were linked automatically just based on
You can admit that this one issue doesn't exist in case that identity
provider properly verify emails. However there are still in theory some
So feel free to implement your own authenticator, which will do the
linking automatically based on email and then configure "first broker
login" flow with your authenticator. See docs for "First broker login"
"Authentication SPI" for more details.
Also feel free to create JIRA if you really want this OOTB. We may
eventually add it if there is big requirement for this. However we will
never change the default "first broker login" flow to behave like this and
automatically link accounts.
On 17/06/16 08:46, Harits Elfahmi wrote:
Currently we use google login using the identity provider in keycloak. The
first broker login states that we must verify existing account and then
reauthenticate using user password form. Is it possible to use the already
available executions/flows and skip the reauthentication part?
So if the google email already exist in a keycloak account, we allow them
to login without the form.
Or must we create a custom execution? Is it possible using custom