feat: link oidc credentials when login #3222
Conversation
splaunov
force-pushed
the
feature/link-credentials-when-login
branch
from
eb99bba
to
be7259f
Compare
…d to login and registrations flows
There was a problem hiding this comment.
Thank you! Unfortunately, merging this would introduce some quite serious security vulnerabilities which allows account take over:
- Adam signs up with adam@example.org in Kratos
- Eve creates account at e.g. Twitter with adam@example.org
- Eve uses Twitter account to sign into Kratos, system things it's adam@example.org
- Account is taken over
There are some ways to prevent this problem by, for example, requiring email verification but not all services support returning these fields.
Emails, in general, can not be used to cross reference authentication between completely separate systems.
To improve UX, the best way would be:
- Sign up with adam@example.org and password
- Adam tries to sign in with Google account adam@example.org
- UI says: "You already have an account. Please sign in with your password, and link your Google account in the next step"
Eve will be requested to login with email/password first. So, takeover is not possible. |
|
I see! My bad, in that case, this looks like a very nice approach :) I'll try to get it running in the next couple of days locally |
…gged in identity (CORE-2006)
|
Thank you for your contribution! I merged the latest changes into your branch and opened a new PR here: #3563. I'll finish off the PR there. |
When user tries to login with OIDC for the first time but has already registered before with email/password a credentials identifier conflict may be detected by Kratos. In this case user needs to login with email/password first and then link OIDC credentials on a settings screen. This PR simplifies UX and allows user to link OIDC credentials to existing account right in the login flow, without switching to settings flow. Closes #2727 Closes #3222
When user tries to login with OIDC for the first time but has already registered before with email/password a credentials identifier conflict may be detected by Kratos. In this case user needs to login with email/password first and then link OIDC credentials on a settings screen. This PR simplifies UX and allows user to link OIDC credentials to existing account right in the login flow, without switching to settings flow. Closes ory#2727 Closes ory#3222
When user tries to login with OIDC for the first time but has already registered before with email/password a credentials identifier conflict may be detected by Kratos. In this case user needs to login with email/password first and then link OIDC credentials on a settings screen.
This PR simplifies UX and allows user to link OIDC credentials to existing account right in the login flow, without
switching to settings flow.
Related issue(s)
#2727
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.