[keycloak-dev] Proposal of few improvements related to "Social registration" page flows
Bill Burke
bburke at redhat.com
Mon Jun 1 08:17:35 EDT 2015
On 6/1/2015 8:03 AM, Vlastimil Elias wrote:
> Hi,
>
> we just advanced to UAT phase of our project where we use Keycloak 1.2.0
> final for user management, and we got feedback from testers.
> They proposed few improvements related to "Social registration" flows
> over OAuth identity providers (github, google, ...).
>
> 1. Perform "Update Profile on First Login" only if some of mandatory
> user profile fields is missing
> Current "Update Profile on First Login" setting in "Identity provider"
> configuration is on/off switch only. But response from some identity
> providers (like Github, Facebook) differs for distinct users, email is
> returned sometimes and sometimes not. We would like to show "Update
> Profile" page on first login only for users without email address
> (generalized a bit means without some of mandatory user profile info,
> which is currently email, name and surname) to simplify user flow for
> other users.
>
> Best implementation is probably to change "Update Profile on First
> Login" option in "Identity provider" configuration from On/Off switch to
> a select with three values:
> "On", "On missing only", "Off".
>
>
> 2. Do not perform email verification if email is provided by trusted
> Identity provider
> If "Verify email" option is enabled in Settings > Login, then it is
> applied to all KC users accounts, both created over registration form
> and as result of social login.
> We would like to simplify user flow for users who registered over social
> provider where we can trust email (like google) and skip this step in
> this case.
>
> I see two ways for configuration on per "Identity provider" basis: add
> new "Trust email" configuration option into "Identity provider" config
> page, or add special Mapper for providers called "Trust email" which
> will mark email as verified if provided by given identity provider.
>
> 3. Allow to map other informations provided by OAuth Identity providers
> into Keycloak user profile attributes
> Identity provider configuration contains "Mappers" configuration
> already, but only "Hardcoded role" mapper is available here for OAuth
> providers.
> We should add something like "Attribute Importer" already available for
> SAML providers.
>
You really mean mappers are needed for social providers. Their token
formats are all different. This is why we don't have mappers for them.
>
> 4. allow to extend "Update Profile on First Login" page with other
> fields stored into user profile attributes
> My colleague created an issue for this already -
> https://issues.jboss.org/browse/KEYCLOAK-1361
>
>
> 5. Link social account into KC user account if email conflict is
> detected and user authenticated afterwards
> When user clicks Social login provider on login page, and social
> provider returns email which already exists for other KC user, then
> login page is shown with error message like "User with email already
> exists. Please login to account management to link the account.". This
> is really not very user friendly, as user is returned to original
> page/application after login and it may be a bit complicated for him to
> go into account management page and link account there.
> I believe that once user provides correct username and password on this
> login page then social account should be automatically linked to KC
> account user just authenticated to. Then user should be redirected to
> originating application. If this "social account autolink" should be
> able to survive "Forgot password" flow then even better ;-)
>
I like the auto-link after login. All good suggestions.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list