[keycloak-user] Allow google login without reauthentication

Marek Posolda mposolda at redhat.com
Tue Jun 21 02:08:04 EDT 2016


You mean that if in keycloak database is already existing user 
"john at gmail.com" and you authenticate the same user "john at gmail.com" 
with google identity provider, you want to automatically link google 
provider with this keycloak account?

We didn't want to support this OOTB because of possible security 
implications. For example if identity provider doesn't verify emails, 
you can see security issues similar to this:
- There is user "john at gmail.com" in keycloak
- Attacker registers the account on identity provider side with email 
"john at gmail.com" . If identity provider doesn't verify emails, attacker 
can easily do it.
- Now attacker login to keycloak with identity provider and keycloak 
will automatically link with the existing keycloak account 
"john at gmail.com" . So now attacker was able to login to keycloak as user 
"john at gmail.com" because 3rd party identity provider didn't verify 
emails and accounts were linked automatically just based on emails.

You can admit that this one issue doesn't exist in case that identity 
provider properly verify emails. However there are still in theory some 
other issues...

So feel free to implement your own authenticator, which will do the 
linking automatically based on email and then configure "first broker 
login" flow with your authenticator. See docs for "First broker login" 
and "Authentication SPI" for more details.

Also feel free to create JIRA if you really want this OOTB. We may 
eventually add it if there is big requirement for this. However we will 
never change the default "first broker login" flow to behave like this 
and automatically link accounts.

Marek

On 17/06/16 08:46, Harits Elfahmi wrote:
> Hello,
>
> Currently we use google login using the identity provider in keycloak. 
> The first broker login states that we must verify existing account and 
> then reauthenticate using user password form. Is it possible to use 
> the already available executions/flows and skip the reauthentication 
> part?
>
> So if the google email already exist in a keycloak account, we allow 
> them to login without the form.
>
> Or must we create a custom execution? Is it possible using custom 
> execution?
>
> Thanks
> -- 
> Cheers,
> *
> *
> *Harits* Elfahmi
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/38fcaa6d/attachment.html 


More information about the keycloak-user mailing list