[keycloak-dev] Plan for "First login with identity brokers"
Bill Burke
bburke at redhat.com
Tue Nov 3 09:36:04 EST 2015
On 11/3/2015 3:31 AM, Stian Thorgersen wrote:
> Would be even simpler for users if we just removed authentication
> completely and only had the username on the login form - we could just
> add a statement "only use your own username, we trust you to not try to
> login as someone else" ;)
>
> Seriously though - social accounts are hacked all the time and allowing
> this auto linking of accounts without requiring users to authenticate to
> the existing account is just plain scary.
>
Sensitive sites do not use social login to protect their users.
> The solution to the use case you've given is not login with another
> social provider, it's having good account recovery options in place.
>
I hope the argument here is just what the default should be.
IMO, the default should be that a new account per social provider is
created and email duplicates are allowed. User would manually merge
accounts via the account service panel if they want.
These features are equally important IMO:
* Broker providers should be able to be automatically trusted with a
switch and automatically merge accounts.
* brokers should have a flow attached to them so that they can require
account merging and such.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list