https://www.ory.sh/ logo
#talk-kratos
Title
# talk-kratos
m

melodic-easter-54717

11/29/2021, 10:12 AM
Is it possible to login through social providers if the identifiers match even if user did not signup through the provider. Right now there's an explicit extra step to link them, which I think is a good default configuration. Is there a way to login through them without linking if for example emails match. There are some security considerations to think about, but it's a flow that's currently being used; e.g Atlassian
👍 2
m

magnificent-energy-493

11/29/2021, 4:49 PM
Is there a way to login through them without linking if for example emails match.
I think this is a massive security issue. I have to dig a bit to find the explanation again, but essentially you are opening the door to impersonation, if you don’t add some extra checks (and at that point you can just aswell let the user link the accounts)
👍 1
m

melodic-easter-54717

11/30/2021, 7:27 AM
That would be great, since I'm looking for an explanation that is convincing enough for not having the feature. So far what I have is that enabling that would compromise the Kratos identity if any of the accounts in configured providers got compromised. Which alone may not be enough to convince for not having it given that it's being used in the wild.
An explanation helps in the decision making process for everyone involved (some non-tech). So this will be very appreciated if there exists one.
m

magnificent-energy-493

11/30/2021, 1:06 PM
• assume you have signed up using david@company.org to myapp.com • i, the hacker, know this • i create an google account with email david@company.org and sign in • now I am in your account
this was the earlier explanation I found
m

melodic-easter-54717

11/30/2021, 1:11 PM
How do you do the 3rd step
Won't that require that you own the
<http://company.org|company.org>
domain
m

magnificent-energy-493

11/30/2021, 1:36 PM
I guess that depends on the email provider and how company.org is handling it 🤔 Also depends if the social login provider does require verified emails and so on. If you want to make a general/sweeping assumption it is unsafe, but for individual cases it might not be.
5 Views