[keycloak-dev] Improvements of registration over Social Login providers

Stian Thorgersen stian at redhat.com
Wed Mar 11 06:30:18 EDT 2015 

We can also add some more required actions:

* Set email if missing
* Set username/password

It would then be possible to set one or more required actions for a first social login.

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Vlastimil Elias" <velias at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 11 March, 2015 11:24:53 AM
> Subject: Re: [keycloak-dev] Improvements of registration over Social	Login	providers
> 
> 
> 
> ----- Original Message -----
> > From: "Vlastimil Elias" <velias at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Wednesday, 11 March, 2015 10:45:06 AM
> > Subject: [keycloak-dev] Improvements of registration over Social Login
> > 	providers
> > 
> > Hi great Keycloak dev team,
> > 
> > during implementation of https://issues.jboss.org/browse/KEYCLOAK-1074 I
> > found few things which should be improved in area of registration over
> > Social Login providers.
> > I'd like to discuss them here before creating JIRAs. I believe I should
> > implement these changes if you will be interested.
> > 
> > 1. It is not possible to disable registration over Social provider
> > ======================================
> > Once provider is created then it is always possible to register over it,
> > even
> > if "User registration" is disabled in realm "Login Settings". I think it
> > should be possible to disable social registrations and allow only to link
> > social logins to existing accounts (eg. loaded from other system).
> > 
> > Marek Posolda pointed me to https://issues.jboss.org/browse/KEYCLOAK-1036
> > which is rejected without any comment. I understand that this global
> > setting
> > is probably not a good solution, so my proposal is to add independent "User
> > registration" switch into configuration of each Identity provider, so admin
> > will get fine grained control.
> 
> -1
> 
> IMO when you add a identity broker (or social provider) you are allowing all
> those users to login. When a user logs in the first time using a identity
> broker we're not really registering the user, just creating an internal
> representation.
> 
> > 
> > 2. Username from Social provider is used as Keycloak username during
> > registration
> > ===================================================
> > This can lead to the situation that user registering eg. over Twitter will
> > not be able to register as other user eg. from Facebook will use same
> > username there and occupy it in Keycloak as first.
> > My proposal is to extend configuration of each Identity provider by new
> > option "Username type" which will be select from these options:
> > 
> > 
> >     * provided username exact - works as now, username is got from
> >     provider,
> >     user can't register if occupied in KC already
> >     * provided username unique - KC will take username from provider, if
> >     occupied then it adds some random number to it to create unique
> >     username
> >     and allow user to register
> >     * provided email - this is related to KEYCLOAK-1074, I need this option
> >     for my project. I know that email is not provided by some providers (eg
> >     Twitter) so I can't use them until KEYCLOAK-1053 is resolved somehow
> > 
> > So let me know what you think about my proposals, can I implement them?
> 
> -1
> 
> If it's using the username from the identity provider that's not correct, it
> should just be set to something unique (could be set to same as user id),
> that's how it used to be before the identity brokering was introduced.
> 
> We have an open issue to allow users to change their username. This would
> then be used by a user that wants to enable regular logins in the above
> scenario. We could improve the account management around this, for example
> it should not display username if it's the same as user id, but have an
> option for a user to "enable regular login" by providing a username and
> password.
> 
> > 
> > Cheers
> > 
> > Vlastimil
> > 
> > --
> > Vlastimil Elias
> > Principal Software Engineer
> > jboss.org Development Team
> > 
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list