[keycloak-user] Allow google login without reauthentication
Harits Elfahmi
adilelfahmi at gmail.com
Wed Sep 14 20:13:05 EDT 2016
Hi Marek,
Any pointer on this? I've looked through the source code, but can't seem to
find the place where it does the actual linking. Must I replace the entire
default First Broker Login flow, or is it possible to just make some
changes into some if its authenticator?
Thanks
2016-06-21 13:08 GMT+07:00 Marek Posolda <mposolda at redhat.com>:
> You mean that if in keycloak database is already existing user
> "john at gmail.com" <john at gmail.com> and you authenticate the same user
> "john at gmail.com" <john at gmail.com> with google identity provider, you want
> to automatically link google provider with this keycloak account?
>
> We didn't want to support this OOTB because of possible security
> implications. For example if identity provider doesn't verify emails, you
> can see security issues similar to this:
> - There is user "john at gmail.com" <john at gmail.com> in keycloak
> - Attacker registers the account on identity provider side with email
> "john at gmail.com" <john at gmail.com> . If identity provider doesn't verify
> emails, attacker can easily do it.
> - Now attacker login to keycloak with identity provider and keycloak will
> automatically link with the existing keycloak account "john at gmail.com"
> <john at gmail.com> . So now attacker was able to login to keycloak as user
> "john at gmail.com" <john at gmail.com> because 3rd party identity provider
> didn't verify emails and accounts were linked automatically just based on
> emails.
>
> You can admit that this one issue doesn't exist in case that identity
> provider properly verify emails. However there are still in theory some
> other issues...
>
> So feel free to implement your own authenticator, which will do the
> linking automatically based on email and then configure "first broker
> login" flow with your authenticator. See docs for "First broker login" and
> "Authentication SPI" for more details.
>
> Also feel free to create JIRA if you really want this OOTB. We may
> eventually add it if there is big requirement for this. However we will
> never change the default "first broker login" flow to behave like this and
> automatically link accounts.
>
> Marek
>
>
> On 17/06/16 08:46, Harits Elfahmi wrote:
>
> Hello,
>
> Currently we use google login using the identity provider in keycloak. The
> first broker login states that we must verify existing account and then
> reauthenticate using user password form. Is it possible to use the already
> available executions/flows and skip the reauthentication part?
>
> So if the google email already exist in a keycloak account, we allow them
> to login without the form.
>
> Or must we create a custom execution? Is it possible using custom
> execution?
>
> Thanks
> --
> Cheers,
>
> *Harits* Elfahmi
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
--
Cheers,
*Harits* Elfahmi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/2c90a394/attachment.html
More information about the keycloak-user
mailing list