<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Ok, for now I can do it without
possibility for automatic autolink without re-authentication. <br>
<br>
Marek<br>
<br>
On 29/10/15 21:35, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAfC-nOFNcJWV4OM5-wPYs-7n9XWkb53CAwn6kSimyeA3w@mail.gmail.com"
type="cite">
<div dir="ltr">Linking accounts automatically is fine, but we
should not have an option that can do that without requiring
users to authenticate first.
<div><br>
</div>
<div>There are so many cases where a user could have one social
account compromised. They may not care that much about the
account, they may never use the service so they've completely
forgotten about it.</div>
<div><br>
</div>
<div>Imagine the following scenario:</div>
<div><br>
</div>
<div>* Tom signed up for GMail in 2005 - figured it was great
and continued using the service the rest of his life</div>
<div>* Tom signed up for Twitter in 2005 - figured it was not to
his taste and never used the account again </div>
<div>* Tom now read about two factor auth and configured it on
his GMail account</div>
<div>* Mary (a bad person) figured that the password to Toms
twitter account was 'password' so she's gained access to Tom's
Twitter - Tom doesn't know, but he doesn't care either</div>
<div>* Tom signs up for a website that uses Keycloak and logs in
with his trusted GMail account</div>
<div>* Now if we let Mary login to the website that uses
Keycloak with Toms old Twitter account, without first proving
she's Tom (which she can't), would be just plain daft!</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 29 October 2015 at 06:37, Bill Burke
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class=""><br>
<br>
On 10/29/2015 5:42 AM, Vlastimil Elias wrote:<br>
><br>
><br>
> On 28.10.2015 21:32, Bill Burke wrote:<br>
>> If a user has loads of social networks and links
a bunch of them, if<br>
>> *any one* of them is compromised the entire
account is compromised.<br>
>> Most sites using social login, the only reason is
there is a login is<br>
>> for the appliation to collect marketing data.
So, the default behavior<br>
>> should make things as simple as possible for the
user.<br>
>><br>
>> At a minimum, by default, the user should not be
required to link an<br>
>> account if there is a conflicting duplicate email
given by the provider.<br>
>> I have found <a moz-do-not-send="true"
href="http://develoeprs.redhat.com" rel="noreferrer"
target="_blank">develoeprs.redhat.com</a> very difficult
to use.<br>
><br>
> yep, it is difficult to use because it have to follow
company's policy<br>
> with unique emails and Keycloak do not provide
necessary support for<br>
> simple and user friendly account linking currently
;-)<br>
><br>
<br>
</span>Yeah, its not your fault. Its ours.<br>
<span class="im HOEnZb"><br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com" rel="noreferrer"
target="_blank">http://bill.burkecentral.com</a><br>
</span>
<div class="HOEnZb">
<div class="h5">_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>