[keycloak-dev] Associate social account with IDM user

Stian Thorgersen stian at redhat.com
Tue Aug 13 11:43:49 EDT 2013 


----- Original Message -----
> From: "Matt Wringe" <mwringe at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: "Stian Thorgersen" <stian at redhat.com>, keycloak-dev at lists.jboss.org
> Sent: Tuesday, 13 August, 2013 4:38:20 PM
> Subject: Re: [keycloak-dev] Associate social account with IDM user
> 
> On 13/08/13 11:18 AM, Marek Posolda wrote:
> > On 13.8.2013 16:56, Matt Wringe wrote:
> >> On 13/08/13 07:43 AM, Marek Posolda wrote:
> >>> Hi,
> >>>
> >>> Here is Marek Posolda from GateIn/JPP software engineering :-)
> >>>
> >>> Picketlink IDM is quite flexible and I think that there are more
> >>> possibilities how to map it. What I am thinking about could be:
> >>>
> >>> 1) Map the attributes related to all social providers directly as part
> >>> of User itself. UserAdapter object (and also user representation in
> >>> Picketlink) has support for dynamic attributes via method
> >>> setAttribute/getAttribute . So it should be possible to use attributes
> >>> with any name and just prefix them for given social network (For
> >>> example: attribute "social.facebook.username" could be used for saving
> >>> of Facebook username, attribute "social.google.username" for saving of
> >>> google username or email)
> >>
> >> You should also probably consider that people can have multiple
> >> accounts for each type. I don't have just one google account, I have
> >> 3 (and 2 of them don't end in .google.com).
> > The question is if keycloak should support the scenario (Single user
> > account mapped to more social accounts of same provider). I don't
> > think it's common setup. Anyway, option 2 (Realm adapter) should
> > easily handle this and is probably better.
> >>
> >> Its also common for people to use the same email address for multiple
> >> social accounts. It may be neat to automatically ask the user to link
> >> accounts if we notice they have logged in using one social network
> >> and we already have a user with the same email address registered
> >> (and of course perform the required security checks before doing the
> >> account merge).
> > yeah. The thing is that properly supporting this is not so easy as you
> > really need to perform additional security checks. In case that email
> > address is not verified by social provider, we have a security hole.
> 
> See "and of course perform the required security checks before doing the
> account merge" in my original message. It would just be a reminder to
> the user that they may already have an account on keycloak and they can
> merge the accounts if they want. They would of course have to authorize
> it by also logging into the existing account.

I somehow managed to miss that ;)

> 
> > So it's not sufficient to simply rely on the email address IMO. And
> > additionally some social providers (I am aware at least of Twitter)
> > don't share email address. So it needs to be wired differently in this
> > case,
> >
> > The use-case with link social account of user, who is already
> > registered and logged in keycloak, seems to be much easier and it also
> > allows that same user can have more registered social providers with
> > same email address.
> >
> > Marek
> >>
> >>
> >>>
> >>> 2) Create another Relationship adapter object and store the
> >>> informations
> >>> as relationship between User and Social provider. Picketlink supports
> >>> attributes to be part of any Relationship, so it should be possible to
> >>> achieve this.
> >>>
> >>> Another thing is, how to wire some social provider with existing User
> >>> accounts in UI. Actually the Social links are available just on
> >>> registration page, which is for anonymous user.
> >>>
> >>> Marek
> >>>
> >>> On 13.8.2013 12:43, Stian Thorgersen wrote:
> >>>> We need to be able to associate multiple social providers with an
> >>>> IDM user. At the moment this is not based on the username of the
> >>>> account (for example google.23897892sdf). This has to main drawbacks:
> >>>>
> >>>> * Horrible username
> >>>> * Can only associate a single social account with an IDM user
> >>>>
> >>>> What is the best way to store this information? We mainly need to
> >>>> store what social providers a user has linked and the social
> >>>> userid. In the future we may also want to associate access tokens
> >>>> as well. We also need to lookup a user based on the social provider
> >>>> + social userid.
> >>>> _______________________________________________
> >>>> keycloak-dev mailing list
> >>>> keycloak-dev at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> 
>

More information about the keycloak-dev mailing list