OIDC Login with already registered account failing

[matthewmcneely]

Kratos Version: 0.7.6

When attempting to login via Google OIDC with an existing Kratos identity (created via 'password' flow), I see this error in the logs and the registration flow gets activated.

msg=Received successful OpenID Connect callback but user is not registered. Re-initializing registration flow now.

Relevant section of the kratos.yaml

    oidc:
      #
      config:
        providers:
          - id: google
            provider: google
            client_id: <snip>
            client_secret: <snip>
            mapper_url: file:///home/ory/oidc.google.jsonnet
            scope:
              - openid
              - profile
              - email
            requested_claims:
              id_token:
                email:
                  essential: true
                email_verified:
                  essential: true
                given_name:
                  essential: true
                family_name:
                  essential: true

The JSONNET file:

local claims = std.extVar('claims');

{
  identity: {
    traits: {
      email: claims.email,
      firstName: claims.given_name,
      lastName: claims.family_name,
      picture: claims.picture,
    },
  },
}

Anyone able to login via Google OIDC with existing identities in 0.7.6?

[matthewmcneely]

A little more background... in the code it seems that the login for OIDC providers is using the Subject (in Google's case that's a very large integer, not an email).

From selfservice/strategy/oidc/strategy_login.go

func (s *Strategy) processLogin(w http.ResponseWriter, r *http.Request, a *login.Flow, token *oauth2.Token, claims *Claims, provider Provider, container *authCodeContainer) (*registration.Flow, error) {
	i, c, err := s.d.PrivilegedIdentityPool().FindByCredentialsIdentifier(r.Context(), identity.CredentialsTypeOIDC, uid(provider.Config().ID, claims.Subject))
<snip>

The inbound Subject is that Google ID (the very large integer), not the registered email.

Reading this makes me think there's no way to OIDC login with an account that was created via the 'password' flow. Can anyone confirm?

[aeneasr]

That would be very insecure. You sign up with [email protected]. I know that, use that email to sing up at google, and take over your account. So yes, this is by design!

[matthewmcneely]

@aeneasr Thanks for your reply. I'm not sure I follow. If Bob signs up to my service with [email protected] using the password flow, he should be able to subsequently login via OIDC with that email through Google (since Google is validating control of that identity). Kratos depends on control of the email, right? If Alice was to take control of Bob's Google email, then she'd be able to recover and take control of his account through the Kratos recovery flow.

Maybe I stated my issue in a confusing way. Other services that I use allow me to login via OIDC with my Google account even though I may have initially registered using a password. I seem to recall this was the case with earlier versions of Kratos too...

[aeneasr]

You sign up with [email protected]. You do not have a Google or Twitter or whatever account. I register a google account with [email protected]. Now I am in your account.

[david972]

What do you my if Kratos redirect the user in that case on the login page with the message that this email already exist please sign-in first and link you account ?

[aeneasr]

In that case it should probably say to sign in with email / password or the linked social account?

[vinckr]

quoting #1870 (reply in thread)

That would be very insecure. You sign up with [email protected]. I know that, use that email to sing up at google, and take over your account. So yes, this is by design!

[aveeday]

That would be very insecure. You sign up with [email protected]. I know that, use that email to sing up at google, and take over your account. So yes, this is by design!

That can be insecure only if you can confirm email address [email protected] when you will register google account. But actually, you cannot. Why you think someone will register account with email they do not have access to?

If you have access to [email protected] inbox you can easily recover account via email and this risk not related to google social login. And if service support recovery via email it will be no difference in security between direct email recovery and login via google account with confirmed email.

This limitation leads to very poor UX. If user can recover account via email, why It is not possible to login in one click with google account?

Is there any way to bypass this limitation?

[vinckr]

@aveeday

You are right, if we can rely on the identity provider (in your example Google) to always confirm email addresses before they let people use it - then I think automatic account linking would be no issue.

But this is not an abstract vulnerability, it might not be an issue with Google (provided you have the right workspace settings i presume) but can is with other providers; we never know which provider implements secure measures, so we need to assume they do not always follow best practices.
See how this plays out in real life with Azure AD no less: https://www.descope.com/blog/post/noauth

Ory has security as one of our core tenets and as such it will stay hard by design to do insecure things with Ory.

Since all the source code is available and you are free to modify it, there are many ways to bypass this limitation; this could include contributions, custom code/fork; but you can also reach out to [email protected] and get your organization on a a support agreement.

[WoodyWoodsta]

@vinckr What is the appetite for making this configurable? I feel as though when we configure a social provider, we incur whatever security posture the provider has (for better or for worse). It seems odd that Ory would take a hard stance on this when there may be 100 other security flaws with other parts of the OIDC flow for said provider, outside of Ory's control.

Automatic account linking is fairly common for the reason that email addresses are mostly regarded well-owned. Without automatic account linking, the UX is actually pretty difficult to make pleasant.

[vinckr]

Hey,

Automatic account linking is fairly common for the reason that email addresses are mostly regarded well-owned.

I agree.
It would be good to have this configurable for verified email addresses.
It would have to be made clear to the developer what the risks are and default off. Can't make any promises though if this would be accepted by the devs but you could maybe start with opening a feature request with some more details around it.

[WoodyWoodsta]

Hey @vinckr. Since posting this, I've discovered that #3563 exists. This is better UX, and we'd be happy to use this as a safe compromise.

For those that don't like that particular experience, a configuration would be great.

[vinckr]

Hello @matthewmcneely @aveeday @david972

Ory Kratos now supports automatic account linking for OIDC.
Read more about the implementation in the official docs: https://www.ory.sh/docs/kratos/social-signin/link-multiple-provider-account and the PR #3563

This is merged on master and available in production in Ory Network and will be included in the next Ory Kratos release.