[keycloak-dev] Associate social account with IDM user

Stian Thorgersen stian at redhat.com
Tue Aug 13 11:25:14 EDT 2013 


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Matt Wringe" <mwringe at redhat.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Tuesday, 13 August, 2013 4:18:39 PM
> Subject: Re: [keycloak-dev] Associate social account with IDM user
> 
> On 13.8.2013 16:56, Matt Wringe wrote:
> > On 13/08/13 07:43 AM, Marek Posolda wrote:
> >> Hi,
> >>
> >> Here is Marek Posolda from GateIn/JPP software engineering :-)
> >>
> >> Picketlink IDM is quite flexible and I think that there are more
> >> possibilities how to map it. What I am thinking about could be:
> >>
> >> 1) Map the attributes related to all social providers directly as part
> >> of User itself. UserAdapter object (and also user representation in
> >> Picketlink) has support for dynamic attributes via method
> >> setAttribute/getAttribute . So it should be possible to use attributes
> >> with any name and just prefix them for given social network (For
> >> example: attribute "social.facebook.username" could be used for saving
> >> of Facebook username, attribute "social.google.username" for saving of
> >> google username or email)
> >
> > You should also probably consider that people can have multiple
> > accounts for each type. I don't have just one google account, I have 3
> > (and 2 of them don't end in .google.com).
> The question is if keycloak should support the scenario (Single user
> account mapped to more social accounts of same provider). I don't think
> it's common setup. Anyway, option 2 (Realm adapter) should easily handle
> this and is probably better.
> >
> > Its also common for people to use the same email address for multiple
> > social accounts. It may be neat to automatically ask the user to link
> > accounts if we notice they have logged in using one social network and
> > we already have a user with the same email address registered (and of
> > course perform the required security checks before doing the account
> > merge).
> yeah. The thing is that properly supporting this is not so easy as you
> really need to perform additional security checks. In case that email
> address is not verified by social provider, we have a security hole. So
> it's not sufficient to simply rely on the email address IMO. And
> additionally some social providers (I am aware at least of Twitter)
> don't share email address. So it needs to be wired differently in this case,
> 
> The use-case with link social account of user, who is already registered
> and logged in keycloak, seems to be much easier and it also allows that
> same user can have more registered social providers with same email address.

I think it's definitively a requirement that a user is logged in (or logs in) to an existing account to be able to link additional social accounts with it

> 
> Marek
> >
> >
> >>
> >> 2) Create another Relationship adapter object and store the informations
> >> as relationship between User and Social provider. Picketlink supports
> >> attributes to be part of any Relationship, so it should be possible to
> >> achieve this.
> >>
> >> Another thing is, how to wire some social provider with existing User
> >> accounts in UI. Actually the Social links are available just on
> >> registration page, which is for anonymous user.
> >>
> >> Marek
> >>
> >> On 13.8.2013 12:43, Stian Thorgersen wrote:
> >>> We need to be able to associate multiple social providers with an
> >>> IDM user. At the moment this is not based on the username of the
> >>> account (for example google.23897892sdf). This has to main drawbacks:
> >>>
> >>> * Horrible username
> >>> * Can only associate a single social account with an IDM user
> >>>
> >>> What is the best way to store this information? We mainly need to
> >>> store what social providers a user has linked and the social userid.
> >>> In the future we may also want to associate access tokens as well.
> >>> We also need to lookup a user based on the social provider + social
> >>> userid.
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
>

More information about the keycloak-dev mailing list