[keycloak-dev] Proposal of few improvements related to "Social registration" page flows

Mon Jun 1 08:03:10 EDT 2015

Hi,

we just advanced to UAT phase of our project where we use Keycloak 1.2.0 
final for user management, and we got feedback from testers.
They proposed few improvements related to "Social registration" flows 
over OAuth identity providers (github, google, ...).

1. Perform "Update Profile on First Login" only if some of mandatory 
user profile fields is missing
Current "Update Profile on First Login" setting in "Identity provider" 
configuration is on/off switch only. But response  from some identity 
providers (like Github, Facebook) differs for distinct users, email is 
returned sometimes and sometimes not. We would like to show "Update 
Profile" page on first login only for users without email address 
(generalized a bit means without some of mandatory user profile info, 
which is currently email, name and surname) to simplify user flow for 
other users.

Best implementation is probably to change "Update Profile on First 
Login" option in "Identity provider" configuration from On/Off switch to 
a select with three values:
"On", "On missing only", "Off".

2. Do not perform email verification if email is provided by trusted 
Identity provider
If "Verify email" option is enabled in Settings > Login, then it is 
applied to all KC users accounts, both created over registration form 
and as result of social login.
We would like to simplify user flow for users who registered over social 
provider where we can trust email (like google) and skip this step in 
this case.

I see two ways for configuration on per "Identity provider" basis: add 
new "Trust email" configuration option into "Identity provider" config 
page, or add special Mapper for providers called "Trust email" which 
will mark email as verified if provided by given identity provider.

3. Allow to map other informations provided by OAuth Identity providers 
into Keycloak user profile attributes
Identity provider configuration contains "Mappers" configuration 
already, but only "Hardcoded role" mapper is available here for OAuth 
providers.
We should add something like "Attribute Importer" already available for 
SAML providers.

4. allow to extend "Update Profile on First Login" page with other 
fields stored into user profile attributes
My colleague created an issue for this already - 
https://issues.jboss.org/browse/KEYCLOAK-1361

5. Link social account into KC user account if email conflict is 
detected and user authenticated afterwards
When user clicks Social login provider on login page, and social 
provider returns email which already exists for other KC user, then 
login page is shown with error message like "User with email already 
exists. Please login to account management to link the account.". This 
is really not very user friendly, as user is returned to original 
page/application after login and it may be a bit complicated for him to 
go into account management page and link account there.
I believe that once user provides correct username and password on this 
login page then social account should be automatically linked to KC 
account user just authenticated to. Then user should be redirected to 
originating application. If this "social account autolink" should be 
able to survive "Forgot password" flow then even better ;-)

What do you think about proposed improvements? I believe they are 
generic enough to be valuable for all KC users.

I can create JIRA issues for them if you agree, and then I should be 
able to provide PR for 1, 2 ,4 first, then for 3. Feature from topic 5 
is a bit complicated so I'm probably not able to help with it.

Thanks in advance

Vlastimil

-- 
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team