[keycloak-user] Blacklisting/whitelisting of domains for email entered during user registration
Vlastimil Elias
velias at redhat.com
Wed Feb 24 08:16:07 EST 2016
Hi,
you are right, it should be better to have common set of
blacklisted/whitelisted domains for all user profile related actions
(register, update profile), so it is similar as user profile attribute
validation. But as it is not a common validation I'll create new Feature
Request in jira for this (and probably link it to the common user
attribute validation jira).
Thanks everybody in this thread for their opinion.
Vlastimil
On 24.2.2016 11:49, Marek Posolda wrote:
> +1 to create JIRA for it and have it somehow available OOTB.
>
> As you mentioned, you can already customize registration flow and add
> custom validation. But ATM this doesn't apply for account updates. So
> if attacker registers with some "valid" email, but then login to
> account management and change email to "evil at blacklisted.com" the
> validation won't be applied.
>
> Also the validation won't be applied to users registered through
> social, so if you have "review profile" enabled, the attacker can
> register with some valid facebook account, but then change email to
> "evil at blacklisted.com" on the ReviewProfile page. This can be catched
> again by creating custom authenticator for firstBrokerLogin flow. Bad
> thing is, that you need separate validator for registration and
> separate for social (and still the account update is not handled)
>
> AFAIK we have JIRA to allow easily configure set of validators for
> some fields, when validator will be applied to all of 3 usecases like:
> - registration
> - account update
> - update profile required action (applies to reviewProfile after
> social too)
>
> This will allow that you for example, you can specify regex for
> "birthDay" field in one place in Keycloak admin console and the same
> validator for "birthDay" field will be applied in all 3 places. We can
> have same type of validator for email blacklisting/whitelisting IMO.
>
> Marek
>
>
> On 24/02/16 11:00, Vlastimil Elias wrote:
>> Hi,
>>
>> Is there this feature (i was not able to find it) in Keycloak or is it
>> planned (I was not able to find it in JIRA)?
>>
>> It is extremely useful (mainly blacklisting) in some cases. Eg.
>> yesterday we fought spammers in one of our public systems. Spammers
>> registered lots of new users using disposable email service and then
>> used them to create spam content. We blacklisted domains used by the
>> disposable email service from registration, which stopped spammers
>> immediately.
>> We do not use Keycloak there yet, but maybe in future. Current system we
>> use has blacklisting available OOTB.
>>
>> Registration email whitelisting may be useful if you create service for
>> eg. your employees only, and want them to register there with company
>> emails only.
>>
>> I think it should be possible to add new step into "Registration" flow
>> to perform this blacklisting, we can do it yourself probably, but it
>> should be cool to have this very useful feature present in the Keycloak
>> out of the box.
>>
>> WDYT about this feature, can I create jira feature request for it?
>>
>> Vlastimil
>>
>
--
Vlastimil Elias
Principal Software Engineer
Developer Portal Engineering Team
More information about the keycloak-user
mailing list