-
Notifications
You must be signed in to change notification settings - Fork 14
New IdP linking strategy - Link on Email. Only if user is associated to Identity Provider. #2447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
With our setup, we have our user pool and our Identity Providers in a single tenant. Given the existing linking strategies (username, mail, etc.) there's no way to restrict the set of Identity Providers that a user account is allowed to link with. For us, this causes the following risk to manifest, an IdP could be hacked allowing a cross domain account takeover to occur. To mitigate this risk we'd like the ability to enforce linking restrictions. A compromised IdP that impacts the users that are linked to the Idp is bad. But a compromised IdP that impacts the entire pool of users is really really bad. #Example If I put in jon.smith@example.com as my email address to start the login process but the Example IdP returned robotdan@fusionauth.io as my email address then my Example IdP account would be linked to the user account with robotdan@fusionauth.io as the email, allowing for an account takeover of the robotdan@fusionauth.io account. To remove this risk, we want to restrict linking by email domain (e.g., fusionauth.io) to start, but in the future want the flexibility to manage user account to IdP associations with multiple domains and IdPs via being explicitly allowed. example: #Current Options
We're leveraging option 3 at this time. #Solution |
Uh oh!
There was an error while loading. Please reload this page.
Problem
I have a user@user.com and I want to associate them with a known identity provider, but I do not know the ID of the user in that upstream IdP (yet). We want to force a user to use a certain IdP when federating.
Solution
Make an Associate API
This would allow a user to be associated with an identityProvider without knowing about the user's Id information in the upstream IdP.
Additional context
https://inversoft.slack.com/archives/C0429LK5A9J/p1692901048509939
Related
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered: