[keycloak-user] Blacklisting/whitelisting of domains for email entered during user registration
Thomas Darimont
thomas.darimont at googlemail.com
Wed Feb 24 06:17:23 EST 2016
Would be very helpful, indeed!
Additionally I'd recommend to use the recaptcha support see:
http://keycloak.github.io/docs/userguide/keycloak-server/html/recaptcha.html
2016-02-24 11:53 GMT+01:00 Marek Posolda <mposolda at redhat.com>:
> On 24/02/16 11:49, Marek Posolda wrote:
> > +1 to create JIRA for it and have it somehow available OOTB.
> >
> > As you mentioned, you can already customize registration flow and add
> > custom validation. But ATM this doesn't apply for account updates. So if
> > attacker registers with some "valid" email, but then login to account
> > management and change email to "evil at blacklisted.com" the validation
> > won't be applied.
> >
> > Also the validation won't be applied to users registered through social,
> > so if you have "review profile" enabled, the attacker can register with
> > some valid facebook account, but then change email to
> > "evil at blacklisted.com" on the ReviewProfile page. This can be catched
> > again by creating custom authenticator for firstBrokerLogin flow. Bad
> > thing is, that you need separate validator for registration and separate
> > for social (and still the account update is not handled)
> >
> > AFAIK we have JIRA to allow easily configure set of validators for some
> > fields, when validator will be applied to all of 3 usecases like:
> > - registration
> > - account update
> > - update profile required action (applies to reviewProfile after social
> too)
> >
> > This will allow that you for example, you can specify regex for
> > "birthDay" field in one place in Keycloak admin console and the same
> > validator for "birthDay" field will be applied in all 3 places. We can
> > have same type of validator for email blacklisting/whitelisting IMO.
> Found older thread when we discuss it -
> http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005767.html .
>
> Marek
> >
> > Marek
> >
> >
> > On 24/02/16 11:00, Vlastimil Elias wrote:
> >> Hi,
> >>
> >> Is there this feature (i was not able to find it) in Keycloak or is it
> >> planned (I was not able to find it in JIRA)?
> >>
> >> It is extremely useful (mainly blacklisting) in some cases. Eg.
> >> yesterday we fought spammers in one of our public systems. Spammers
> >> registered lots of new users using disposable email service and then
> >> used them to create spam content. We blacklisted domains used by the
> >> disposable email service from registration, which stopped spammers
> >> immediately.
> >> We do not use Keycloak there yet, but maybe in future. Current system we
> >> use has blacklisting available OOTB.
> >>
> >> Registration email whitelisting may be useful if you create service for
> >> eg. your employees only, and want them to register there with company
> >> emails only.
> >>
> >> I think it should be possible to add new step into "Registration" flow
> >> to perform this blacklisting, we can do it yourself probably, but it
> >> should be cool to have this very useful feature present in the Keycloak
> >> out of the box.
> >>
> >> WDYT about this feature, can I create jira feature request for it?
> >>
> >> Vlastimil
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/cd31dd72/attachment.html
More information about the keycloak-user
mailing list