[keycloak-dev] Can KeyCloack be used without any passwords?

Stian Thorgersen stian at redhat.com
Fri Dec 6 04:38:48 EST 2013


Thanks for your feedback. The social integration is not complete yet, but we plan to add support for more networks and the ability to link multiple social logins with the same account soon.

Yes, when a user first logs in with a social login we create an account. It doesn't have a password set, so by default the user can only login with the social login. The user can set a password if the user wants through the account management. Also, there's an option to require users to review their profile on first login with social login. For example Twitter doesn't provide email address, so if you require emails for user you can use this option to make sure all users will provide one.

Made me think that someone may want to only allow social logins and completely disable password logins. We could provide an option to enable this, which would mean that on the login form only the social logins would be shown, and in the account management the reset password option wouldn't be displayed. Is that something you're interested in?

With regards to LDAP/AD we haven't decided exactly how that'll work, but the current thinking is that we'll sync users to/from an LDAP/AD server into the Keycloak store. This will be fully automated and run in the background to provide a more or less consistent view between LDAP/AD and Keycloak.

----- Original Message -----
> From: "Matt Casperson" <mcaspers at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Friday, 6 December, 2013 1:50:42 AM
> Subject: [keycloak-dev] Can KeyCloack be used without any passwords?
> 
> I'd just like to say that KeyCloak looks like a great project. It will be
> nice not to have to reinvent the account management wheel every time you
> write an app.
> 
> I have a couple of questions about KeyCloak:
> 
> 1. After playing with the demo it looks like first time social logins require
> a local user account to be created. Is this a fixed requirement, or is it
> possible for people to log in from Google/Twitter/Facebook without a local
> user account? Or at least with a local account that has no password? I ask
> because ideally we would like to never deal with any user passwords
> whatsoever, and defer all password management to external services.
> 
> 2. Do you expect the LDAP or AD support to work like a social login i.e. will
> users with local network accounts be required to create a KeyCloak user
> account in addition to their network account?
> 
> 3. Is it possible to associate multiple social logins with a single account?
> Something like what Stack Exchange does where you can add a Google and a
> Facebook account to your existing SE account.
> 
> Regards
> 
> Matthew Casperson
> RHCE, RHCJA # 111-072-237
> Red Hat Engineering Content Services
> Brisbane, Australia
> 
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list