+1 for auto-merge. We modified the code to do that. <br>I like Bill's approach with multiple options though as this is the most flexible and different people will have different requirements. <br><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 14, 2015 at 11:13 AM Bill Burke <<a href="mailto:bburke@redhat.com">bburke@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 7/14/2015 10:30 AM, Marek Posolda wrote:<br>
> On 14.7.2015 15:15, Stian Thorgersen wrote:<br>
>><br>
>> ----- Original Message -----<br>
>>> From: "Marek Posolda" <<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>><br>
>>> To: "Vlastimil Elias" <<a href="mailto:velias@redhat.com" target="_blank">velias@redhat.com</a>>, <a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
>>> Sent: Tuesday, 14 July, 2015 3:05:06 PM<br>
>>> Subject: Re: [keycloak-dev] Improve first login with identity provider<br>
>>><br>
>>> +1 for do it like this. It seems the biggest challenge is merging the<br>
>>> accounts. Not sure if it's better creating temporary user accounts or<br>
>>> rather keep all the state in ClientSession. It seems the both approaches<br>
>>> has pros and cons...<br>
>>><br>
>>> Do we want to support linking multiple accounts during single<br>
>>> authentication? It looks we should support it too to have all the things<br>
>>> covered properly. I mean the usecase like:<br>
>>><br>
>>> 1) User is registered with username/password and email "<a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a>"<br>
>>> 2) User clicks to "Sign in with Facebook" and authenticates. Keycloak<br>
>>> displays "There is already account with <a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a>. Do you want to<br>
>>> merge account?"<br>
>>> 3) Now login screen is displayed again (IMO it should be without<br>
>>> Facebook button this time) and user click to "Sign in with Google"<br>
>>> 4) Keycloak again displays "There is already account with<br>
>>> <a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a>. Do you want to merge account?"<br>
>>> 5) Now login screen is displayed again (without both Facebook and Google<br>
>>> buttons) and user finally login with username/password . After<br>
>>> authentication is user <a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a> linked with both Facebok and Google<br>
>> Yes, but I had a different approach in mind:<br>
>><br>
>> 1) User is registered with username/password and email "<a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a>"<br>
>> 2) User clicks to "Sign in with Facebook" and authenticates. Keycloak creates the account, but sets the email address '<a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a>' as an tmp attribute. Then it displays existing account blah blah, do you want to merge?<br>
>> 3) User clicks merge and is shown a login screen without username, but only password (and any linked identity providers)<br>
>> 4) Once user is logged in the account created in step 2 is merged with the account created in step 1. After it's merged the account from step 2 is deleted.<br>
>><br>
>> This lets the user merge the account from Facebook at any point as long as it's within the expiration time. Newly created (but not active accounts, i.e. outstanding required actions) will have a expiration time and be removed by a background thread.<br>
> Yeah, I agree with creating separate temporary accounts. Was just<br>
> wondering about use-case with chaining multiple identity providers<br>
> during single authentication (both Facebook and Google). In this case,<br>
> there will be 2 temporary accounts, so the question is if:<br>
> - The "facebook" temporary account is merged with "google" temporary<br>
> account after successful Google authentication (my step 4)<br>
> - Both "facebook" and "google" temporary accounts are merged with the<br>
> original <a href="mailto:john@gmail.com" target="_blank">john@gmail.com</a> account after authentication is completely<br>
> finished (my step 5)<br>
><br>
> but maybe this is implementation detail? Not sure...<br>
><br>
> IMO the period for keep these temporary accounts should be really small.<br>
> I think user should finish the authentication (which will delete<br>
> temporary accounts) within minutes (not the other day or so) and<br>
> shouldn't never be assigned access token to. Otherwise there might be<br>
> issues with temporary account already linked with some application data<br>
> etc...<br>
><br>
> Also for your step (3), we don't want to be limited just for the default<br>
> password form right? I think that with Authentication SPI, people may<br>
> want various authentication mechanisms (maybe some don't even want to<br>
> use password at all). The tricky part is, that username is already known<br>
> and we want people to just provide credentials (aka password) . But IMO<br>
> if we limit only to form with password + identity providers, the issue<br>
> will return again after some time...<br>
><br>
<br>
This is WAY too complicated. Please see my long previous email. There<br>
should never be any temporary accounts. I'll summarize my previous<br>
email again:<br>
<br>
* Existing accounts should only be detected by email. "Bill Burke" gets<br>
56 million hits on Google. It is a very common name.<br>
<br>
Default behavior:<br>
1) User registers with "<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>" and password<br>
2) User does a social login, new account is created "<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>"<br>
is stored in a user attribute. i.e. "Alternative email".<br>
<br>
Website requires linking:<br>
1) User registers with "<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>" and password<br>
2) User logins with Facebook, "<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>" exists. Prompted<br>
"Account exists with same email you have registered at Facebook. You<br>
have been sent an email verification message. Please follow the<br>
directions of this email to login"<br>
3) User goes to Inbox, clicks link in email, message screen appears<br>
"Your Facebook account has been linked. Click "Ok" to continue.". User<br>
gets forwarded to website.<br>
4) Facebook is linked to pre-existing "<a href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>" account.<br>
<br>
This would be implemented with Authentication Flows. There would be no<br>
temporary account. Step #2 would create a ClientSession model and store<br>
all the facebook metadata within it. Step #3 would import the facebook<br>
metadata.<br>
<br>
Alternatively, you could just trust the IDP and do the link<br>
automatically. Does Google et. al. send an "email-verified" metadata?<br>
<br>
<br>
User wants to link accounts:<br>
1) User goes to Account Service, Account LInking page<br>
2) User is provided with list of IDPs i.e. (Facebook, Google, etc). And<br>
clicks one.<br>
3) User is prompted to login via that IDP<br>
4) User receives prompt "Your Facebook account has been linked. Click<br>
"OK" to continue". User gets forwarded to website.<br>
<br>
In this scenario, there is no removal of old accounts. The initiating<br>
account,X, would import the old Facebook account, Y. X would create a<br>
new federation link to Facebook. Y would be disabled and its facebook<br>
link removed. Y is marked as "merged" or "linked" and points to account<br>
X. You need to keep Y around as the user may have done a bunch of<br>
actions under that account...i.e. posted on <a href="http://jboss.org" rel="noreferrer" target="_blank">jboss.org</a> forums.<br>
<br>
<br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a href="http://bill.burkecentral.com" rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div>