[keycloak-user] Blacklisting/whitelisting of domains for email entered during user registration
Marek Posolda
mposolda at redhat.com
Wed Feb 24 05:53:56 EST 2016
On 24/02/16 11:49, Marek Posolda wrote:
> +1 to create JIRA for it and have it somehow available OOTB.
>
> As you mentioned, you can already customize registration flow and add
> custom validation. But ATM this doesn't apply for account updates. So if
> attacker registers with some "valid" email, but then login to account
> management and change email to "evil at blacklisted.com" the validation
> won't be applied.
>
> Also the validation won't be applied to users registered through social,
> so if you have "review profile" enabled, the attacker can register with
> some valid facebook account, but then change email to
> "evil at blacklisted.com" on the ReviewProfile page. This can be catched
> again by creating custom authenticator for firstBrokerLogin flow. Bad
> thing is, that you need separate validator for registration and separate
> for social (and still the account update is not handled)
>
> AFAIK we have JIRA to allow easily configure set of validators for some
> fields, when validator will be applied to all of 3 usecases like:
> - registration
> - account update
> - update profile required action (applies to reviewProfile after social too)
>
> This will allow that you for example, you can specify regex for
> "birthDay" field in one place in Keycloak admin console and the same
> validator for "birthDay" field will be applied in all 3 places. We can
> have same type of validator for email blacklisting/whitelisting IMO.
Found older thread when we discuss it -
http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005767.html .
Marek
>
> Marek
>
>
> On 24/02/16 11:00, Vlastimil Elias wrote:
>> Hi,
>>
>> Is there this feature (i was not able to find it) in Keycloak or is it
>> planned (I was not able to find it in JIRA)?
>>
>> It is extremely useful (mainly blacklisting) in some cases. Eg.
>> yesterday we fought spammers in one of our public systems. Spammers
>> registered lots of new users using disposable email service and then
>> used them to create spam content. We blacklisted domains used by the
>> disposable email service from registration, which stopped spammers
>> immediately.
>> We do not use Keycloak there yet, but maybe in future. Current system we
>> use has blacklisting available OOTB.
>>
>> Registration email whitelisting may be useful if you create service for
>> eg. your employees only, and want them to register there with company
>> emails only.
>>
>> I think it should be possible to add new step into "Registration" flow
>> to perform this blacklisting, we can do it yourself probably, but it
>> should be cool to have this very useful feature present in the Keycloak
>> out of the box.
>>
>> WDYT about this feature, can I create jira feature request for it?
>>
>> Vlastimil
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list