[keycloak-dev] Linking social accounts

Marek Posolda mposolda at redhat.com
Mon Mar 10 06:02:27 EDT 2014


I've sent PR https://github.com/keycloak/keycloak/pull/275 for 
linking/unlinking social accounts into already existing Keycloak user 
account.

I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354, 
which will allow that administrator will be able to see, which social 
networks are connected for user 'john'. We discussed with Stian that 
read-only possibility for admin is probably sufficient (ie. admin can 
just review that john is linked to Facebook and Google, but he doesn't 
have possibility to remove this linking or add new linking of this user 
to other social networks).

There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334, 
which means that users registered through social can't change their 
passwords because changing password requires filling already existing 
password and user 'john' doesn't have existing password when he 
registered himself through Facebook... It seems that for user without 
password, there should be possibility to skip the need to fill existing 
password. Maybe there should be new model method like:

boolean  RealmModel hasPassword(UserModel user);

or even more flexible:

boolean  RealmModel hasCredential(UserModel user,String  credentialType);

Not sure if this is sufficient though, because users registered through social won't need to fill existing passwords, which could mean that someone can hijack their session as Stian pointed.

So I was also thinking if we can require that users will need to fill 
their password if they are registered through social. Maybe some 
administrators don't want this, but in fact many sites on Internet 
requires this for Social registration and in fact that's what I did in 
GateIn portal as well.

So I wonder if we shouldn't remove the realm boolean attribute 
"updateProfileOnInitialSocialLogin" and add new attribute like 
"socialRegistrationRequiredActions", which will contain array of 
required actions after social registration. So for example:
- If administrator wants users to be registered automatically through 
social without need to confirm anything, he can use empty array (same 
like currently updateProfileOnInitialSocialLogin=false)
- If administrator wants users to confirm their attributes (firstName, 
lastname, email...), he will just add action UPDATE_PROFILE (same like 
currently updateProfileOnInitialSocialLogin=true)
- If administrator wants users to confirm attributes and also fill 
password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this 
array

wdyt?
Marek


More information about the keycloak-dev mailing list