[keycloak-dev] Email constraint violation when updating profile

Pedro Igor Silva psilva at redhat.com
Tue Jan 6 08:14:21 EST 2015 

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Tuesday, January 6, 2015 9:53:56 AM
> Subject: Re: [keycloak-dev] Email constraint violation when updating profile
> 
> This is a corner case and we can safely ignore it until someone complains
> about it. There are also already ways to work around it:
> 
> 1) User logs into account console, removes the social/broker link, logs in to
> the other account and adds the social link
> 2) User talks to admin, admin deletes one account (or removes social/broker
> link), then user can link to existing account
> 
> When we implemented linking of accounts in the first place me and Marek
> discussed this issue over and over. Whichever solution we came up with had
> issues, both technical and usability issues. So end of the day we decided
> that as there's a work around to it, and that it won't be a very common
> problem, we could safely ignore it.

Not sure if you can safely ignore it. Users will get an ugly error on their browser, instead of a proper error message. If you just check for a duplicate email in org.keycloak.services.resources.LoginActionsService#updateProfile, that would be enough to avoid the error. And this is should be very simple.

> 
> With regards to the proposed solution, that was one we visited, but it has
> several issues. Creating the user after doesn't work as we need to have
> somewhere to store the information and it would also add more complexity to
> required actions. Also, it doesn't work if update profile is not required on
> first login or if email is not required. In either of those cases you end up
> with at some point in the future the user may try to update the account with
> their email and get the same problem.

Not really, the validation above should be enough.

Still not convinced :) I understand the technical blockers, but they should not be blockers to offer a better usability.

>From a business perspective, the workflow is wrong. You can not store the user before getting the input from the user when update profile is enabled. That is what you see around the web and what KC does partially.

> 
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva at redhat.com>
> > To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Tuesday, 6 January, 2015 12:33:30 PM
> > Subject: [keycloak-dev] Email constraint violation when updating profile
> > 
> > Hi,
> > 
> >     Would like to know your thoughts on KEYCLOAK-924 [1].
> > 
> >     Looks like there is an issue with the "Update Profile" workflow that
> >     also
> >     impacts social authentication and account linking.
> > 
> > Regards.
> > Pedro Igor
> > 
> > [1] https://issues.jboss.org/browse/KEYCLOAK-924
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
>

More information about the keycloak-dev mailing list