Skip to content

Add additional linking strategy for email and username to link only if user does not yet exist #2424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
robotdan opened this issue Aug 14, 2023 · 0 comments
Open

Add additional linking strategy for email and username to link only if user does not yet exist #2424

robotdan opened this issue Aug 14, 2023 · 0 comments
Assignees
@robotdan
Labels
enhancement New feature or request security

Comments

@robotdan
Copy link
Member

robotdan commented Aug 14, 2023
edited
Loading

Add additional linking strategy for email and username to link only if user does not yet exist

Description

Add an additional linking strategy to reduce the risk presented by linking with a 3rd party IdP. The new linking strategy will be to link only if the user does not yet exist by email | username.

Currently we offer for email and username

  • Link on {value}. Create the user if they do not exist.
  • Link on {value}. Do not create the user if they do not exist.

This new option will be effectively:

  • Link on {value}. Only when the user does not exist.

Additional information

The purpose of this new strategy is to help mitigate account takeover risk. Risk is introduced when you do not completey trust the 3rd party IdP, or the 3rd party IdP does not provide adequate feedback on the state of verification a user's email address.

We could consider adding an additional setting to any IdP to force an email verification workflow to complete a link by email. Ideally this configuration would have three states:

  • Disabled. Do not perform additional email verification. Trust the identity provider to perform necessary verification.
  • Enabled. Always verify email address.
  • Enabled. Verify email address when a user with the linking email address already exists.

We may need to take into account email_verified from an OIDC provider, or optionally ignore this if we do not think the IdP is able to accurately represent the state of the email verification as is the case with Azure AD.

Auth0 has this forced email verification specifically for Azure AD, but I think it would be valuable for any IdP that may not completely trust, or when you know that the configuration allows for email related claims to be un-reliable. https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/azuread-adfs-email-verification.

Related

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@robotdan robotdan

Labels
enhancement New feature or request security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robotdan