[keycloak-dev] Associate social account with IDM user

Marek Posolda mposolda at redhat.com
Tue Aug 13 11:55:16 EDT 2013 

On 13.8.2013 17:38, Matt Wringe wrote:
> On 13/08/13 11:18 AM, Marek Posolda wrote:
>> On 13.8.2013 16:56, Matt Wringe wrote:
>>> On 13/08/13 07:43 AM, Marek Posolda wrote:
>>>> Hi,
>>>>
>>>> Here is Marek Posolda from GateIn/JPP software engineering :-)
>>>>
>>>> Picketlink IDM is quite flexible and I think that there are more
>>>> possibilities how to map it. What I am thinking about could be:
>>>>
>>>> 1) Map the attributes related to all social providers directly as part
>>>> of User itself. UserAdapter object (and also user representation in
>>>> Picketlink) has support for dynamic attributes via method
>>>> setAttribute/getAttribute . So it should be possible to use attributes
>>>> with any name and just prefix them for given social network (For
>>>> example: attribute "social.facebook.username" could be used for saving
>>>> of Facebook username, attribute "social.google.username" for saving of
>>>> google username or email)
>>>
>>> You should also probably consider that people can have multiple 
>>> accounts for each type. I don't have just one google account, I have 
>>> 3 (and 2 of them don't end in .google.com).
>> The question is if keycloak should support the scenario (Single user 
>> account mapped to more social accounts of same provider). I don't 
>> think it's common setup. Anyway, option 2 (Realm adapter) should 
>> easily handle this and is probably better.
>>>
>>> Its also common for people to use the same email address for 
>>> multiple social accounts. It may be neat to automatically ask the 
>>> user to link accounts if we notice they have logged in using one 
>>> social network and we already have a user with the same email 
>>> address registered (and of course perform the required security 
>>> checks before doing the account merge).
>> yeah. The thing is that properly supporting this is not so easy as 
>> you really need to perform additional security checks. In case that 
>> email address is not verified by social provider, we have a security 
>> hole. 
>
> See "and of course perform the required security checks before doing 
> the account merge" in my original message. It would just be a reminder 
> to the user that they may already have an account on keycloak and they 
> can merge the accounts if they want. They would of course have to 
> authorize it by also logging into the existing account.
yep, exactly. I agree that it would be nice to have this, but it's more 
tricky to support this as defacto user needs to authenticate twice and 
there are more possible states to deal with.

So the case where user is already logged in keycloak and just want to 
wire his account with existing social account is easier to support. So I 
would start with support of this IMO and add more complex case later:-)

Marek


>> So it's not sufficient to simply rely on the email address IMO. And 
>> additionally some social providers (I am aware at least of Twitter) 
>> don't share email address. So it needs to be wired differently in 
>> this case,
>>
>> The use-case with link social account of user, who is already 
>> registered and logged in keycloak, seems to be much easier and it 
>> also allows that same user can have more registered social providers 
>> with same email address.
>>
>> Marek
>>>
>>>
>>>>
>>>> 2) Create another Relationship adapter object and store the 
>>>> informations
>>>> as relationship between User and Social provider. Picketlink supports
>>>> attributes to be part of any Relationship, so it should be possible to
>>>> achieve this.
>>>>
>>>> Another thing is, how to wire some social provider with existing User
>>>> accounts in UI. Actually the Social links are available just on
>>>> registration page, which is for anonymous user.
>>>>
>>>> Marek
>>>>
>>>> On 13.8.2013 12:43, Stian Thorgersen wrote:
>>>>> We need to be able to associate multiple social providers with an 
>>>>> IDM user. At the moment this is not based on the username of the 
>>>>> account (for example google.23897892sdf). This has to main drawbacks:
>>>>>
>>>>> * Horrible username
>>>>> * Can only associate a single social account with an IDM user
>>>>>
>>>>> What is the best way to store this information? We mainly need to 
>>>>> store what social providers a user has linked and the social 
>>>>> userid. In the future we may also want to associate access tokens 
>>>>> as well. We also need to lookup a user based on the social 
>>>>> provider + social userid.
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>

More information about the keycloak-dev mailing list