Map multiple authentication methods to same user | Voters

Wiki.js

Create

Home

Wiki.js

Map multiple authentication methods to same user

in progress

A. D.

Allow a Wiki.js user to log in through multiple authentication methods, grouping by email

February 21, 2021

Nicolas Giard

marked this post as

in progress

Nathan Green

I think this is already in the roadmap for 3.x, at "Account Linking" (https://docs.requarks.io/releases/roadmap#h-3x)

David Dearden

Just a note: I recently debated this exact feature with a team for a project I'm working on. In general we loved the idea, but it left a bit of a vulnerability. Say I have an account with 2FA that I use to sign in, but I also have an account with another identity provider that has no 2FA and a weak password, but the same email (maybe it was created for some testing or something). Then, if someone broke my weak account, they could access the sign-in with the less secure identity provider account. We settled on allowing the user to manually link the other identity providers to their account, but not doing it automatically when they try to sign in. That way it is up to the user to intentionally link it, and there are no surprise access loopholes.

tl;dr: great idea, don't link the account automatically

Rick Spencer

@David Dearden: Why not allow the user to determine their access levels (permissions) as a next step. This way security policies follow auth providers and auth discrepancies can be mitigated if the user elects to do so.