[keycloak-dev] Plan for "First login with identity brokers"
Marek Posolda
mposolda at redhat.com
Fri Oct 30 05:08:34 EDT 2015
Ok, for now I can do it without possibility for automatic autolink
without re-authentication.
Marek
On 29/10/15 21:35, Stian Thorgersen wrote:
> Linking accounts automatically is fine, but we should not have an
> option that can do that without requiring users to authenticate first.
>
> There are so many cases where a user could have one social account
> compromised. They may not care that much about the account, they may
> never use the service so they've completely forgotten about it.
>
> Imagine the following scenario:
>
> * Tom signed up for GMail in 2005 - figured it was great and continued
> using the service the rest of his life
> * Tom signed up for Twitter in 2005 - figured it was not to his taste
> and never used the account again
> * Tom now read about two factor auth and configured it on his GMail
> account
> * Mary (a bad person) figured that the password to Toms twitter
> account was 'password' so she's gained access to Tom's Twitter - Tom
> doesn't know, but he doesn't care either
> * Tom signs up for a website that uses Keycloak and logs in with his
> trusted GMail account
> * Now if we let Mary login to the website that uses Keycloak with Toms
> old Twitter account, without first proving she's Tom (which she
> can't), would be just plain daft!
>
> On 29 October 2015 at 06:37, Bill Burke <bburke at redhat.com
> <mailto:bburke at redhat.com>> wrote:
>
>
>
> On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
> >
> >
> > On 28.10.2015 21:32, Bill Burke wrote:
> >> If a user has loads of social networks and links a bunch of
> them, if
> >> *any one* of them is compromised the entire account is compromised.
> >> Most sites using social login, the only reason is there is a
> login is
> >> for the appliation to collect marketing data. So, the default
> behavior
> >> should make things as simple as possible for the user.
> >>
> >> At a minimum, by default, the user should not be required to
> link an
> >> account if there is a conflicting duplicate email given by the
> provider.
> >> I have found develoeprs.redhat.com
> <http://develoeprs.redhat.com> very difficult to use.
> >
> > yep, it is difficult to use because it have to follow company's
> policy
> > with unique emails and Keycloak do not provide necessary support for
> > simple and user friendly account linking currently ;-)
> >
>
> Yeah, its not your fault. Its ours.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151030/688a2954/attachment-0001.html
More information about the keycloak-dev
mailing list