[keycloak-user] Allow google login without reauthentication

Marek Posolda mposolda at redhat.com
Fri Sep 23 09:58:40 EDT 2016 

The linking is done in IdentityBrokerService once the firstBrokerLogin 
flow is finished. I suggest to look at sources of existing 
authenticators in firstBrokerLogin and to IdentityBrokerService .

Good luck,
Marek

On 15/09/16 02:13, Harits Elfahmi wrote:
> Hi Marek,
>
> Any pointer on this? I've looked through the source code, but can't 
> seem to find the place where it does the actual linking. Must I 
> replace the entire default First Broker Login flow, or is it possible 
> to just make some changes into some if its authenticator?
>
> Thanks
>
> 2016-06-21 13:08 GMT+07:00 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>>:
>
>     You mean that if in keycloak database is already existing user
>     "john at gmail.com" <mailto:john at gmail.com> and you authenticate the
>     same user "john at gmail.com" <mailto:john at gmail.com> with google
>     identity provider, you want to automatically link google provider
>     with this keycloak account?
>
>     We didn't want to support this OOTB because of possible security
>     implications. For example if identity provider doesn't verify
>     emails, you can see security issues similar to this:
>     - There is user "john at gmail.com" <mailto:john at gmail.com> in keycloak
>     - Attacker registers the account on identity provider side with
>     email "john at gmail.com" <mailto:john at gmail.com> . If identity
>     provider doesn't verify emails, attacker can easily do it.
>     - Now attacker login to keycloak with identity provider and
>     keycloak will automatically link with the existing keycloak
>     account "john at gmail.com" <mailto:john at gmail.com> . So now attacker
>     was able to login to keycloak as user "john at gmail.com"
>     <mailto:john at gmail.com> because 3rd party identity provider didn't
>     verify emails and accounts were linked automatically just based on
>     emails.
>
>     You can admit that this one issue doesn't exist in case that
>     identity provider properly verify emails. However there are still
>     in theory some other issues...
>
>     So feel free to implement your own authenticator, which will do
>     the linking automatically based on email and then configure "first
>     broker login" flow with your authenticator. See docs for "First
>     broker login" and "Authentication SPI" for more details.
>
>     Also feel free to create JIRA if you really want this OOTB. We may
>     eventually add it if there is big requirement for this. However we
>     will never change the default "first broker login" flow to behave
>     like this and automatically link accounts.
>
>     Marek
>
>
>     On 17/06/16 08:46, Harits Elfahmi wrote:
>>     Hello,
>>
>>     Currently we use google login using the identity provider in
>>     keycloak. The first broker login states that we must verify
>>     existing account and then reauthenticate using user password
>>     form. Is it possible to use the already available
>>     executions/flows and skip the reauthentication part?
>>
>>     So if the google email already exist in a keycloak account, we
>>     allow them to login without the form.
>>
>>     Or must we create a custom execution? Is it possible using custom
>>     execution?
>>
>>     Thanks
>>     -- 
>>     Cheers,
>>     *
>>     *
>>     *Harits* Elfahmi
>>
>>
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> -- 
> Cheers,
> **
> *Harits* Elfahmi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160923/f8fb79a4/attachment.html

More information about the keycloak-user mailing list