Open
Description
Add IdP policy to never trust email, and perform inline email verification on link
Description
When you link by email in any fashion, you must trust the IdP. There are use cases where you may not trust the IdP, or the IdP is too flexible in the configuration to even know for sure if a user is verified.
Solution
Add a new policy to an IdP to indicate you want FusionAuth to perform an inline email verification before completing the link. This means you do not need to trust the IdP and FusionAuth can enforce email verification regardless of what the IdP does.
This would make FusionAuth more helpful in preventing account takeover attacks due to 3rd party IdPs.
Proposed workflow
- IdP named "super sketch" is configured to link by email
- Really smart FusionAuth admin checks the box "force email verification because I do not trust this IdP"
- User clicks "Login with super sketch"
- User is redirected and logs in to "super sketch"
- User is redirected back to FusionAuth
- FusionAuth does not yet have a link for this user.
- FusionAuth does not trust "super sketch" and forces the user to verify the email address returned by the IdP
- User completes email verification
- FusionAuth completes the link and logs the user via "super sketch"
Related
- Add additional linking strategy for email and username to link only if user does not yet exist #2424
- Add new default behavior to reject a link in an OIDC IdP if
email_verifiedis present and isfalse#2423
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.