[keycloak-dev] Email constraint violation when updating profile

Pedro Igor Silva psilva at redhat.com
Tue Jan 6 08:51:54 EST 2015 

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Pedro Igor Silva" <psilva at redhat.com>
> Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> Sent: Tuesday, January 6, 2015 11:25:45 AM
> Subject: Re: [keycloak-dev] Email constraint violation when updating profile
> 
> 
> 
> ----- Original Message -----
> > From: "Pedro Igor Silva" <psilva at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Tuesday, 6 January, 2015 2:14:21 PM
> > Subject: Re: [keycloak-dev] Email constraint violation when updating
> > profile
> > 
> > ----- Original Message -----
> > > From: "Stian Thorgersen" <stian at redhat.com>
> > > To: "Pedro Igor Silva" <psilva at redhat.com>
> > > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > Sent: Tuesday, January 6, 2015 9:53:56 AM
> > > Subject: Re: [keycloak-dev] Email constraint violation when updating
> > > profile
> > > 
> > > This is a corner case and we can safely ignore it until someone complains
> > > about it. There are also already ways to work around it:
> > > 
> > > 1) User logs into account console, removes the social/broker link, logs
> > > in
> > > to
> > > the other account and adds the social link
> > > 2) User talks to admin, admin deletes one account (or removes
> > > social/broker
> > > link), then user can link to existing account
> > > 
> > > When we implemented linking of accounts in the first place me and Marek
> > > discussed this issue over and over. Whichever solution we came up with
> > > had
> > > issues, both technical and usability issues. So end of the day we decided
> > > that as there's a work around to it, and that it won't be a very common
> > > problem, we could safely ignore it.
> > 
> > Not sure if you can safely ignore it. Users will get an ugly error on their
> > browser, instead of a proper error message. If you just check for a
> > duplicate email in
> > org.keycloak.services.resources.LoginActionsService#updateProfile, that
> > would be enough to avoid the error. And this is should be very simple.
> 
> Agree it should be a proper error message. I didn't get that was the problem.
> It shouldn't check for duplicate email though, it should rely on db
> constraints as otherwise you can't guarantee it doesn't exist, but still an
> easy fix. Can you create a separate JIRA issue for it with and we'll fix for
> 1.1.0.Final?

Sure, I`ll. Thanks.

> 
> > 
> > > 
> > > With regards to the proposed solution, that was one we visited, but it
> > > has
> > > several issues. Creating the user after doesn't work as we need to have
> > > somewhere to store the information and it would also add more complexity
> > > to
> > > required actions. Also, it doesn't work if update profile is not required
> > > on
> > > first login or if email is not required. In either of those cases you end
> > > up
> > > with at some point in the future the user may try to update the account
> > > with
> > > their email and get the same problem.
> > 
> > Not really, the validation above should be enough.
> > 
> > Still not convinced :) I understand the technical blockers, but they should
> > not be blockers to offer a better usability.
> > 
> > From a business perspective, the workflow is wrong. You can not store the
> > user before getting the input from the user when update profile is enabled.
> > That is what you see around the web and what KC does partially.
> 
> You can argue which workflow is better, but both are perfectly valid. There's
> nothing wrong with storing the user before update profile. If there's a
> update profile required action associated with the account the user is not
> able to use the account until the profile has been updated. Absolutely
> nothing wrong with the current flow, other than the potential of the user
> wanting to set an email address that already exists, which there are many
> other much simpler solutions to than what you are proposing. End of the day
> you'll provide the same error message to the user, so from a usability
> perspective there's no difference whether or not the it's stored in the db
> or not.
> 
> > 
> > > 
> > > ----- Original Message -----
> > > > From: "Pedro Igor Silva" <psilva at redhat.com>
> > > > To: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > > > Sent: Tuesday, 6 January, 2015 12:33:30 PM
> > > > Subject: [keycloak-dev] Email constraint violation when updating
> > > > profile
> > > > 
> > > > Hi,
> > > > 
> > > >     Would like to know your thoughts on KEYCLOAK-924 [1].
> > > > 
> > > >     Looks like there is an issue with the "Update Profile" workflow
> > > >     that
> > > >     also
> > > >     impacts social authentication and account linking.
> > > > 
> > > > Regards.
> > > > Pedro Igor
> > > > 
> > > > [1] https://issues.jboss.org/browse/KEYCLOAK-924
> > > > _______________________________________________
> > > > keycloak-dev mailing list
> > > > keycloak-dev at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > > > 
> > > 
> > 
>

More information about the keycloak-dev mailing list