[keycloak-dev] Improvements of registration over Social Login providers
Stian Thorgersen
stian at redhat.com
Wed Mar 11 06:24:53 EDT 2015
----- Original Message -----
> From: "Vlastimil Elias" <velias at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 11 March, 2015 10:45:06 AM
> Subject: [keycloak-dev] Improvements of registration over Social Login providers
>
> Hi great Keycloak dev team,
>
> during implementation of https://issues.jboss.org/browse/KEYCLOAK-1074 I
> found few things which should be improved in area of registration over
> Social Login providers.
> I'd like to discuss them here before creating JIRAs. I believe I should
> implement these changes if you will be interested.
>
> 1. It is not possible to disable registration over Social provider
> ======================================
> Once provider is created then it is always possible to register over it, even
> if "User registration" is disabled in realm "Login Settings". I think it
> should be possible to disable social registrations and allow only to link
> social logins to existing accounts (eg. loaded from other system).
>
> Marek Posolda pointed me to https://issues.jboss.org/browse/KEYCLOAK-1036
> which is rejected without any comment. I understand that this global setting
> is probably not a good solution, so my proposal is to add independent "User
> registration" switch into configuration of each Identity provider, so admin
> will get fine grained control.
-1
IMO when you add a identity broker (or social provider) you are allowing all those users to login. When a user logs in the first time using a identity broker we're not really registering the user, just creating an internal representation.
>
> 2. Username from Social provider is used as Keycloak username during
> registration
> ===================================================
> This can lead to the situation that user registering eg. over Twitter will
> not be able to register as other user eg. from Facebook will use same
> username there and occupy it in Keycloak as first.
> My proposal is to extend configuration of each Identity provider by new
> option "Username type" which will be select from these options:
>
>
> * provided username exact - works as now, username is got from provider,
> user can't register if occupied in KC already
> * provided username unique - KC will take username from provider, if
> occupied then it adds some random number to it to create unique username
> and allow user to register
> * provided email - this is related to KEYCLOAK-1074, I need this option
> for my project. I know that email is not provided by some providers (eg
> Twitter) so I can't use them until KEYCLOAK-1053 is resolved somehow
>
> So let me know what you think about my proposals, can I implement them?
-1
If it's using the username from the identity provider that's not correct, it should just be set to something unique (could be set to same as user id), that's how it used to be before the identity brokering was introduced.
We have an open issue to allow users to change their username. This would then be used by a user that wants to enable regular logins in the above scenario. We could improve the account management around this, for example it should not display username if it's the same as user id, but have an option for a user to "enable regular login" by providing a username and password.
>
> Cheers
>
> Vlastimil
>
> --
> Vlastimil Elias
> Principal Software Engineer
> jboss.org Development Team
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list