[keycloak-dev] Plan for "First login with identity brokers"

Marek Posolda mposolda at redhat.com
Fri Oct 30 05:08:34 EDT 2015 

Ok, for now I can do it without possibility for automatic autolink 
without re-authentication.

Marek

On 29/10/15 21:35, Stian Thorgersen wrote:
> Linking accounts automatically is fine, but we should not have an 
> option that can do that without requiring users to authenticate first.
>
> There are so many cases where a user could have one social account 
> compromised. They may not care that much about the account, they may 
> never use the service so they've completely forgotten about it.
>
> Imagine the following scenario:
>
> * Tom signed up for GMail in 2005 - figured it was great and continued 
> using the service the rest of his life
> * Tom signed up for Twitter in 2005 - figured it was not to his taste 
> and never used the account again
> * Tom now read about two factor auth and configured it on his GMail 
> account
> * Mary (a bad person) figured that the password to Toms twitter 
> account was 'password' so she's gained access to Tom's Twitter - Tom 
> doesn't know, but he doesn't care either
> * Tom signs up for a website that uses Keycloak and logs in with his 
> trusted GMail account
> * Now if we let Mary login to the website that uses Keycloak with Toms 
> old Twitter account, without first proving she's Tom (which she 
> can't), would be just plain daft!
>
> On 29 October 2015 at 06:37, Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>> wrote:
>
>
>
>     On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
>     >
>     >
>     > On 28.10.2015 21:32, Bill Burke wrote:
>     >> If a user has loads of social networks and links a bunch of
>     them, if
>     >> *any one* of them is compromised the entire account is compromised.
>     >> Most sites using social login, the only reason is there is a
>     login is
>     >> for the appliation to collect marketing data. So, the default
>     behavior
>     >> should make things as simple as possible for the user.
>     >>
>     >> At a minimum, by default, the user should not be required to
>     link an
>     >> account if there is a conflicting duplicate email given by the
>     provider.
>     >>    I have found develoeprs.redhat.com
>     <http://develoeprs.redhat.com> very difficult to use.
>     >
>     > yep, it is difficult to use because it have to follow company's
>     policy
>     > with unique emails and Keycloak do not provide necessary support for
>     > simple and user friendly account linking currently ;-)
>     >
>
>     Yeah, its not your fault.  Its ours.
>
>
>     --
>     Bill Burke
>     JBoss, a division of Red Hat
>     http://bill.burkecentral.com
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151030/688a2954/attachment-0001.html

More information about the keycloak-dev mailing list