[keycloak-user] Allow google login without reauthentication
Marek Posolda
mposolda at redhat.com
Tue Jun 21 02:08:04 EDT 2016
You mean that if in keycloak database is already existing user
"john at gmail.com" and you authenticate the same user "john at gmail.com"
with google identity provider, you want to automatically link google
provider with this keycloak account?
We didn't want to support this OOTB because of possible security
implications. For example if identity provider doesn't verify emails,
you can see security issues similar to this:
- There is user "john at gmail.com" in keycloak
- Attacker registers the account on identity provider side with email
"john at gmail.com" . If identity provider doesn't verify emails, attacker
can easily do it.
- Now attacker login to keycloak with identity provider and keycloak
will automatically link with the existing keycloak account
"john at gmail.com" . So now attacker was able to login to keycloak as user
"john at gmail.com" because 3rd party identity provider didn't verify
emails and accounts were linked automatically just based on emails.
You can admit that this one issue doesn't exist in case that identity
provider properly verify emails. However there are still in theory some
other issues...
So feel free to implement your own authenticator, which will do the
linking automatically based on email and then configure "first broker
login" flow with your authenticator. See docs for "First broker login"
and "Authentication SPI" for more details.
Also feel free to create JIRA if you really want this OOTB. We may
eventually add it if there is big requirement for this. However we will
never change the default "first broker login" flow to behave like this
and automatically link accounts.
Marek
On 17/06/16 08:46, Harits Elfahmi wrote:
> Hello,
>
> Currently we use google login using the identity provider in keycloak.
> The first broker login states that we must verify existing account and
> then reauthenticate using user password form. Is it possible to use
> the already available executions/flows and skip the reauthentication
> part?
>
> So if the google email already exist in a keycloak account, we allow
> them to login without the form.
>
> Or must we create a custom execution? Is it possible using custom
> execution?
>
> Thanks
> --
> Cheers,
> *
> *
> *Harits* Elfahmi
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160621/38fcaa6d/attachment.html
More information about the keycloak-user
mailing list