Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Un-)linking and updating credentials and their identifiers #121

Closed
aeneasr opened this issue Nov 10, 2019 · 2 comments
Closed

(Un-)linking and updating credentials and their identifiers #121

aeneasr opened this issue Nov 10, 2019 · 2 comments
Assignees
@aeneasr
Labels
package/selfservice Affects selfservice components
Milestone
v0.3.0-alpha.1

Comments

@aeneasr
Copy link
Member

aeneasr commented Nov 10, 2019

Is your feature request related to a problem? Please describe.

At some point in the lifecycle of an identity, credentials might be added, removed, or updated:

  • A user wants to link, in addition to the current "sign in with google", his/her github account for use of login.
  • A user wants to link, in addition to password method, his/her github account for use of login.
  • A user wants to unlink his/her github account
  • A user wants to add a passwordless (email code, sms code, magic link) login
  • A user wants to update the email address used for login (with password or passwordless)
  • A user wants to update the password used for login

Describe the solution you'd like

All of these flows require user presence. This means that the user must have completed an authentication process within a reasonably short period of time prior (e.g. 5 minutes) to performing this flow. This could be solved in kratos internally by using the "AuthenticatedAt" field from the session.

Describe alternatives you've considered

Auth0 has a guide on user account linking: https://auth0.com/docs/link-accounts

Additional context

We need to respect #119
@aeneasr
Copy link
Member Author

aeneasr commented Nov 11, 2019

One approach taken by Google Account when updating credentials is to:

  1. Redirect the UA to a URL like /updatepassword
  2. The server at /updatepassword checks if a verifier is set (rapt):
  3. If no rapt is set, the user is redirected to the login ui with a challenge rart (continue 3)
  4. If rapt is set and can be verified (user from session equals user from rapt, request is not expired, contains maybe a signed variant of rapt?), the ui is shown. If the rapt can not be verified a new challenge rart is computed (using info from the authenticated session) and the user is redirected to the login url.

If the user is not authenticated at all, calling /updatepassword will show a screen with a "login button". I think we could redirect to login and compute a rart with an empty subject?

In conclusion, this approach is much safer than what Auth0 is doing, as they do not require proof of authentication before updating/changing

@aeneasr aeneasr self-assigned this Nov 11, 2019
@aeneasr aeneasr added this to the v0.0.1 milestone Nov 11, 2019
@aeneasr aeneasr added security package/selfservice Affects selfservice components labels Nov 11, 2019
@aeneasr aeneasr modified the milestones: v0.2.0-alpha.1, v0.2.1-alpha.1 May 2, 2020
@aeneasr
Copy link
Member Author

aeneasr commented May 5, 2020

This is already implemented except for OIDC which is tracked as #32

@aeneasr aeneasr closed this as completed May 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
package/selfservice Affects selfservice components
Projects
None yet
Milestone
v0.3.0-alpha.1
Development

No branches or pull requests
1 participant
@aeneasr