[keycloak-dev] Linking social accounts

Stian Thorgersen stian at redhat.com
Mon Mar 10 10:13:37 EDT 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Monday, 10 March, 2014 1:01:41 PM
> Subject: Re: [keycloak-dev] Linking social accounts
> 
> 
> On 3/10/2014 6:02 AM, Marek Posolda wrote:
> > I've sent PR https://github.com/keycloak/keycloak/pull/275 for
> > linking/unlinking social accounts into already existing Keycloak user
> > account.
> >
> > I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354,
> > which will allow that administrator will be able to see, which social
> > networks are connected for user 'john'. We discussed with Stian that
> > read-only possibility for admin is probably sufficient (ie. admin can
> > just review that john is linked to Facebook and Google, but he doesn't
> > have possibility to remove this linking or add new linking of this user
> > to other social networks).
> >
> > There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334,
> > which means that users registered through social can't change their
> > passwords because changing password requires filling already existing
> > password and user 'john' doesn't have existing password when he
> > registered himself through Facebook... It seems that for user without
> > password, there should be possibility to skip the need to fill existing
> > password. Maybe there should be new model method like:
> >
> 
> I think I submitted a similar bug to this in regards to "forgot password".

In the account management pages you need to provide the existing password. The login pages will allow you to reset the password through a link in an email without the password.

The account management pages asks for this password to prevent hijacking an account if someone forgets to logout from a shared machine.

> 
> I also want you to think about linking Social Accounts with existing
> Keycloak Accounts.  I believe sso.jboss.org will want to do this as I
> think people will want to use their Github user accounts to log into
> jboss.org JIRA without having to redo permissions.
> 
> 
> > boolean  RealmModel hasPassword(UserModel user);
> >
> > or even more flexible:
> >
> > boolean  RealmModel hasCredential(UserModel user,String  credentialType);
> >
> > Not sure if this is sufficient though, because users registered through
> > social won't need to fill existing passwords, which could mean that
> > someone can hijack their session as Stian pointed.
> >
> > So I was also thinking if we can require that users will need to fill
> > their password if they are registered through social. Maybe some
> > administrators don't want this, but in fact many sites on Internet
> > requires this for Social registration and in fact that's what I did in
> > GateIn portal as well.
> >
> 
> Why would a password be required for a social login?  The whole point of
> a social login is to delegate authentication.  I can see you maybe
> wanting to add 2-factor auth and other security constraints to a social
> login, but a password?  no.

Someone may have initially started using social login, but later wants to change to a regular login. To do so they would have to set a password. Also, setting a password would allow someone a backup way of accessing their account should the social network be done, they've lost their account there, or for whatever other reason they can't use the social login any more.

The best user experience would come from having a set password option in account management without requiring the 'current' password as it doesn't exist. I think that's ok, but I'm a little bit worried about that allowing someone to potentially hijack an account (see above).

> 
> 
> > So I wonder if we shouldn't remove the realm boolean attribute
> > "updateProfileOnInitialSocialLogin" and add new attribute like
> > "socialRegistrationRequiredActions", which will contain array of
> > required actions after social registration. So for example:
> > - If administrator wants users to be registered automatically through
> > social without need to confirm anything, he can use empty array (same
> > like currently updateProfileOnInitialSocialLogin=false)
> > - If administrator wants users to confirm their attributes (firstName,
> > lastname, email...), he will just add action UPDATE_PROFILE (same like
> > currently updateProfileOnInitialSocialLogin=true)
> > - If administrator wants users to confirm attributes and also fill
> > password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this
> > array

I think that's a good idea. This would also be nice to have for standard registrations as well. At the moment we have an on/off for validate password, but it would be better to have two fields:

- Actions on first login
- Actions on first social login

These would be multi-select fields, same as we have for required fields on a users account.

> 
> 
> I'd like to see an option for "Do you have an existing account?  If so,
> please log in to link this account to your social account."

That would be nice, and we wanted to add some integration with the login forms later. This time around it's been focused on the account management. So you can add a social link to an existing account (doesn't matter if that existing account uses standard password login, or social login). You can also add as many as you want, so you can login to the same account with username/password or any of the social providers we have.


> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list