[keycloak-user] Blacklisting/whitelisting of domains for email entered during user registration

Thomas Raehalme thomas.raehalme at aitiofinland.com
Wed Feb 24 06:26:18 EST 2016


Hi!

This would be really useful!

In my opinion email addresses should be enforced also when using identity
providers and the email address originates from, for example, Google.
Combined with whitelisting you could then restrict users to a specific
Google Apps domain(s).

Best regards,
Thomas


On Wed, Feb 24, 2016 at 12:49 PM, Marek Posolda <mposolda at redhat.com> wrote:

> +1 to create JIRA for it and have it somehow available OOTB.
>
> As you mentioned, you can already customize registration flow and add
> custom validation. But ATM this doesn't apply for account updates. So if
> attacker registers with some "valid" email, but then login to account
> management and change email to "evil at blacklisted.com" the validation
> won't be applied.
>
> Also the validation won't be applied to users registered through social,
> so if you have "review profile" enabled, the attacker can register with
> some valid facebook account, but then change email to
> "evil at blacklisted.com" on the ReviewProfile page. This can be catched
> again by creating custom authenticator for firstBrokerLogin flow. Bad
> thing is, that you need separate validator for registration and separate
> for social (and still the account update is not handled)
>
> AFAIK we have JIRA to allow easily configure set of validators for some
> fields, when validator will be applied to all of 3 usecases like:
> - registration
> - account update
> - update profile required action (applies to reviewProfile after social
> too)
>
> This will allow that you for example, you can specify regex for
> "birthDay" field in one place in Keycloak admin console and the same
> validator for "birthDay" field will be applied in all 3 places. We can
> have same type of validator for email blacklisting/whitelisting IMO.
>
> Marek
>
>
> On 24/02/16 11:00, Vlastimil Elias wrote:
> > Hi,
> >
> > Is there this feature (i was not able to find it) in Keycloak or is it
> > planned (I was not able to find it in JIRA)?
> >
> > It is extremely useful (mainly blacklisting) in some cases. Eg.
> > yesterday we fought spammers in one of our public systems. Spammers
> > registered lots of new users using disposable email service and then
> > used them to create spam content. We blacklisted domains used by the
> > disposable email service from registration, which stopped spammers
> > immediately.
> > We do not use Keycloak there yet, but maybe in future. Current system we
> > use has blacklisting available OOTB.
> >
> > Registration email whitelisting may be useful if you create service for
> > eg. your employees only, and want them to register there with company
> > emails only.
> >
> > I think it should be possible to add new step into "Registration" flow
> > to perform this blacklisting, we can do it yourself probably, but it
> > should be cool to have this very useful feature present in the Keycloak
> > out of the box.
> >
> > WDYT about this feature, can I create jira feature request for it?
> >
> > Vlastimil
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160224/4a6f75b9/attachment.html 


More information about the keycloak-user mailing list