Notify User of Important Events

[james-d-elliott]

Description

Email users when important events occur. This will require the following:

1. A new email template specific for events.

Use Case

Examples:

• 2FA credential added.
• 2FA credential removed.
• Suspicious Activity:
  • Webauthn Clone Detection.
• Failed 2FA.
• Failed login.
  • This will require some gatekeeping to prevent email spam.
  • Will likely be a future endeavor.
• Login from new IP.
  • Requires logging which remote IP's users have logged in from.
  • Will likely be a future endeavor.
• Login from new device.
  • Requires storing an opaque cryptographically secure value in localStorage.
  • Will likely be a future endeavor.
• Consent Grant Notifications (OpenID Connect 1.0 / SAML 2.0).
  • Will likely be a future endeavor.
  • Skip implicit consent?
  • Allow users to opt in.
• Allow users to enable/disable particular notifications.
  • Will likely be a future endeavor.

Details

No response

Documentation

No response

[smkent]

I'd also be interested in email notifications on OpenID Connect consent authorization.

Making notifications configurable might also be nice but could certainly be a future goal.

[james-d-elliott]

Yeah I've added this to the list. Think it's an opt-in and we can add it later like the rest.

[nightah]

The opt-in nature kind of goes against the principle of security through notification.

What's your thoughts around how the opt-in would work?

I think long term if a user can see all their OIDC linked apps/consents then opt-in would make sense though.

[archef2000]

Is there any help needed for this last issue for v4.38.0?

[james-d-elliott]

No, the meat of this has been done we'll defer the remaining parts for 4.39.0. We're just waiting for toolchain related elements (go wasn't up to date in alpine until today). Once we've confirmed all tooling is building with go 1.22.1 we're going to release.