Validating only allowed domains with Google as IdP
695 views
Skip to first unread message
lee.h...@gmail.com
Apr 30, 2021, 9:32:53 AM4/30/21
to Keycloak User
My company uses Google as an identify provide for our @ourcorp.com email accounts, and using the "hosted domain" filter has served us fine, until now. Suddenly we need to allow 3rd parties to use their own company email address to use our thing (they also use Google as IdP) and we became aware that the `hd` parameter to Google is less than "secure".
The Hosted Domain textbox has a hint that reads:
Set 'hd' query parameter when logging in with Google. Google will list accounts only for this domain. Keycloak validates that the returned identity token has a claim for this domain. When '*' is entered, any hosted account can be used.
This sounds great, however when checking Google's docs for the `hd` paramter it says this:
Don't rely on this UI optimization to control who can access your app, as client-side requests can be modified. Be sure to validate that the returned ID token has an hd claim value that matches what you expect (e.g. mycolledge.edu). Unlike the request parameter, the ID token hd claim is contained within a security token from Google, so the value can be trusted.
I'm asking then, how can one modify the "First Broker Login", or any other similar authorization matrix/flow to ensure that the returned, federated identity token meets some specification.
Note, because I'm using the Google provider for our own IdP, the partner company is added as a regular OpenID Connect v1.0, and I'd like to replicate whatever the Google provider is doing in our flow by hand, and understand in general how to use Authentication Executors to extract and validate claims from the 3rd party tokens.
Thanks so much!
Kind regards,
Thomas Darimont
Apr 30, 2021, 11:06:30 AM4/30/21
to lee.h...@gmail.com, Keycloak User
Hello Lee,
I think the Google IdentityProvider implementation already checks that the hd claim in the returned id token matches the one from the provider configuration:
Cheers,
Thomas
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f7a51ce6-58cd-4b19-9ad6-eb0989d175een%40googlegroups.com.
Lee Hambley
Apr 30, 2021, 1:24:07 PM4/30/21
to Thomas Darimont, Keycloak User
Hi Thomas,
Thanks for kindly taking the time to dig out the code, indeed it's great to see how simple the enforcement is on the custom Google implementation.
Could you refer me to some docs on how to configure the same in the authorization flows for a regular OpenID Connect v1.0 flow, such as we are forced to use with our new partner?
Sincerely,
Lee Hambley
Reply all
Reply to author
Forward
0 new messages