[keycloak-user] Blacklisting/whitelisting of domains for email entered during user registration
Marek Posolda
mposolda at redhat.com
Wed Feb 24 05:49:39 EST 2016
+1 to create JIRA for it and have it somehow available OOTB.
As you mentioned, you can already customize registration flow and add
custom validation. But ATM this doesn't apply for account updates. So if
attacker registers with some "valid" email, but then login to account
management and change email to "evil at blacklisted.com" the validation
won't be applied.
Also the validation won't be applied to users registered through social,
so if you have "review profile" enabled, the attacker can register with
some valid facebook account, but then change email to
"evil at blacklisted.com" on the ReviewProfile page. This can be catched
again by creating custom authenticator for firstBrokerLogin flow. Bad
thing is, that you need separate validator for registration and separate
for social (and still the account update is not handled)
AFAIK we have JIRA to allow easily configure set of validators for some
fields, when validator will be applied to all of 3 usecases like:
- registration
- account update
- update profile required action (applies to reviewProfile after social too)
This will allow that you for example, you can specify regex for
"birthDay" field in one place in Keycloak admin console and the same
validator for "birthDay" field will be applied in all 3 places. We can
have same type of validator for email blacklisting/whitelisting IMO.
Marek
On 24/02/16 11:00, Vlastimil Elias wrote:
> Hi,
>
> Is there this feature (i was not able to find it) in Keycloak or is it
> planned (I was not able to find it in JIRA)?
>
> It is extremely useful (mainly blacklisting) in some cases. Eg.
> yesterday we fought spammers in one of our public systems. Spammers
> registered lots of new users using disposable email service and then
> used them to create spam content. We blacklisted domains used by the
> disposable email service from registration, which stopped spammers
> immediately.
> We do not use Keycloak there yet, but maybe in future. Current system we
> use has blacklisting available OOTB.
>
> Registration email whitelisting may be useful if you create service for
> eg. your employees only, and want them to register there with company
> emails only.
>
> I think it should be possible to add new step into "Registration" flow
> to perform this blacklisting, we can do it yourself probably, but it
> should be cool to have this very useful feature present in the Keycloak
> out of the box.
>
> WDYT about this feature, can I create jira feature request for it?
>
> Vlastimil
>
More information about the keycloak-user
mailing list