-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement email confirmation when USERNAME_IS_EMAIL=true #138
Comments
Hi, I'm afraid but your request seems to be out-of-scope for that project and has been targeted at https://keratin.github.io/authn-server/#/guide-restrict_signups_by_domain and #124 (comment) as well as #70 (comment). @cainlevy please correct me if I'm wrong. Otherwise maybe a dedicated write-up on keratin.github.io can be used to clarify on that? |
Ok, my bad I've overseen the discussion on #137 . Though I also believe that setting and maintaining SMTP / email verification in AuthN itself will dramatically increase complexity as people will then ask for a customizable implementation (custom email server, various authentication flows, ...). As @martinreus mentioned in the last comment, linking those accounts while being logged in may be enough so I'd advise not going down the road of SMTP handling and Mail templating. If E-Mail verification from AuthN is still important I would rather add a new webhook to trigger and a private endpoint to confirm a mail address. This way the host application is still responsible of actually sending those verification message. Something like this may also be interesting for the discussions on #112 or #120 |
@ppacher thanks for the feedback! Yeah, definitely I would also say don't implement email and SMTP stuff in Authn. We can have a new webhook and let the host application handle sending this verification email. |
The primary challenge I see on this feature is the question of product requirements. I've tried to scope AuthN so that it only implements clear patterns, but I've seen too many patterns for email handling to know if there's a clear answer. For example:
Then there's the question of what an unconfirmed account is authorized to do. Can they do some less critical things, or are they blocked from proceeding until they finish? A more hands-off implementation might instead implement a single |
Interesting patterns, especially when having more than one e-mail (I guess I've never seen this elsewhere?). When USERNAME_IS_EMAIL=true we have only one e-mail registered for an account in Authn, right? Is the multiple mail per account scenario also implemented in Authn?
I was imagining something like this ( sorry for the bad diagram 😅 ) I wrote "logged in?" with a question mark because I'm not sure if the user should be already logged in with an unconfirmed account (I believe we could let him already be logged in even in an unconfirmed state) |
I'm not sure but IMHO the multi-mail scenario is not yet covered by authn. I'm also pro If the verification endpoint is actually part of authn we would also need to think about how to redirect the user to the main application. The simplest way would be to specify that redirect target via an env variable and use a 301 Moved Permanently. However, if that target can depend on some other factor that the main app chooses (e.g. based on some invitation code) we may need to include that into the verification link (like |
Cool, I think this eases up implementations.
👍 here As per the redirect, we could use the existing APP_DOMAINS for letting them redirect to only known domains.. |
Honestly I'm not ready for implementation details yet. Some combination of tokens and redirects should work, and there's precedent for both in existing AuthN features. However, AuthN is currently not the source of truth for contact information or authorization data. It's difficult to imagine adding email verification to the project scope because it's difficult to find a perspective that does not include adding one or both of those new responsibilities, each of which come with new and competing features. When I mentioned the scenarios earlier, my point was that applications may vary on:
Given that the right way to implement email verification depends on decisions that AuthN has not made, and given that the usual motivations for email verification are related to out of scope features, I'm not yet sure that it's a good fit. Perhaps we need to go back to a problem statement. Currently the only issue related to AuthN's existing project scope is:
Maybe (maybe) the way to solve this is not with a full email verification feature, but a requirement that the host app can define what "confirmed" means and inform AuthN when it happens to be true. I say maybe because I'd really hope to discover more value from a "confirmed" boolean before adding it to the API. Currently the motivation is an edge case with a viable workaround. |
I agree that letting authz functionality bleed into authn would be the wrong move. Would it work to configure an endpoint in the app that authn can call to see if a user has sufficiently proven ownership of the account to allow this move @cainlevy ? This would keep control of the rules with applications (eg apps that handle protected data may want to enact stricter verification measures). If no endpoint is configured it could fall back to existing behavior although if this is going to be an officially supported mechanism I'd lean towards requiring use of this endpoint for anyone wanting to allow binding an oauth login to an existing username/password account. |
Can you say more about when AuthN would call the endpoint?
I'd also love to hear more thoughts on this. Maybe the question is whether, in the scenario where someone has an "unproven" AuthN account, we think it's more likely the true email owner has secured the identity provider account (e.g. Google, Microsoft) or the AuthN account. |
I guess it would call the app somewhere around here with the I thought about that second point as well but I guess I tend to favor the identity provider as the source of truth. If an attacker has taken over the identity provider account and its used as the username/email for the authn account, they can pretty trivially reset the password if the authn-serviced app is their target and supports password resets. This raises the question of what to do if MFA is enabled on the account though too I suppose. I wonder if all roads are gonna lead back to a way to better message the cause of failure and steer users into a flow that lets them authenticate the existing account before binding it to the provider. |
When signing up for an account, especially when USERNAME_IS_EMAIL is set to true, it would be nice to have an email confirmation flow, to prevent malicious "account injection". Implementation could be similar to how other platforms approach this, namely:
The text was updated successfully, but these errors were encountered: