<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">I have a prototype in progress, which I
am going to present on Thursday call. It's based on authentication
SPI, so it's quite flexible . <br>
<br>
Current default behaviour is, when it detects duplicated email, it
displays the page with "Duplication detected. What do you want to
do?" Then user can:<br>
- Go back and edit the profile. So user is not required to link
provider as long as he provides different unique email<br>
- Link the provider. At this point, he need either to
reauthenticate by different way (password+otp or already linked
identity provider) or confirm the linking via email<br>
<br>
Marek<br>
<br>
On 03/11/15 09:31, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAebA3bKZPjDcJSNTo_eK9PLS4d_7Dt++mUz1z58eAMgmQ@mail.gmail.com"
type="cite">
<div dir="ltr">Would be even simpler for users if we just removed
authentication completely and only had the username on the login
form - we could just add a statement "only use your own
username, we trust you to not try to login as someone else" ;)
<div><br>
</div>
<div>Seriously though - social accounts are hacked all the time
and allowing this auto linking of accounts without requiring
users to authenticate to the existing account is just plain
scary.</div>
<div><br>
</div>
<div>The solution to the use case you've given is not login with
another social provider, it's having good account recovery
options in place.
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 30 October 2015 at 14:57, Bill
Burke <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">There's
an alternative problem. Logs in with Twitter in
2005. Logs in again 2015 with Google. Is required to
link with Twitter, says "screw it" because he doesn't
remember his Twitter password and just closes his
browser and doesn't use the website.<br>
<br>
I've been on really popular high-traffic sites where
their google login was broken for months (<a
moz-do-not-send="true" href="http://mmqb.si.com"
rel="noreferrer" target="_blank">mmqb.si.com</a>
which is an NFL website for Sports Illustrated). I
used my Facebook identity instead. If I had been
required to merge accounts manually, I would have not
been able to use the site.<span class=""><br>
<br>
On 10/29/2015 4:35 PM, Stian Thorgersen wrote:<br>
</span>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">
Linking accounts automatically is fine, but we
should not have an option<br>
that can do that without requiring users to
authenticate first.<br>
<br>
There are so many cases where a user could have
one social account<br>
compromised. They may not care that much about the
account, they may<br>
never use the service so they've completely
forgotten about it.<br>
<br>
Imagine the following scenario:<br>
<br>
* Tom signed up for GMail in 2005 - figured it was
great and continued<br>
using the service the rest of his life<br>
* Tom signed up for Twitter in 2005 - figured it
was not to his taste<br>
and never used the account again<br>
* Tom now read about two factor auth and
configured it on his GMail account<br>
* Mary (a bad person) figured that the password to
Toms twitter account<br>
was 'password' so she's gained access to Tom's
Twitter - Tom doesn't<br>
know, but he doesn't care either<br>
* Tom signs up for a website that uses Keycloak
and logs in with his<br>
trusted GMail account<br>
* Now if we let Mary login to the website that
uses Keycloak with Toms<br>
old Twitter account, without first proving she's
Tom (which she can't),<br>
would be just plain daft!<br>
<br>
On 29 October 2015 at 06:37, Bill Burke <<a
moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:bburke@redhat.com">bburke@redhat.com</a></a><br>
</span><span class="">
<mailto:<a moz-do-not-send="true"
href="mailto:bburke@redhat.com" target="_blank">bburke@redhat.com</a>>>
wrote:<br>
<br>
<br>
<br>
On 10/29/2015 5:42 AM, Vlastimil Elias wrote:<br>
><br>
><br>
> On 28.10.2015 21:32, Bill Burke wrote:<br>
>> If a user has loads of social
networks and links a bunch of them, if<br>
>> *any one* of them is compromised the
entire account is compromised.<br>
>> Most sites using social login, the
only reason is there is a login is<br>
>> for the appliation to collect
marketing data. So, the default behavior<br>
>> should make things as simple as
possible for the user.<br>
>><br>
>> At a minimum, by default, the user
should not be required to link an<br>
>> account if there is a conflicting
duplicate email given by the provider.<br>
</span>
>> I have <a moz-do-not-send="true"
href="http://founddeveloeprs.redhat.com"
rel="noreferrer" target="_blank">founddeveloeprs.redhat.com</a>
<<a moz-do-not-send="true"
href="http://develoeprs.redhat.com"
rel="noreferrer" target="_blank">http://develoeprs.redhat.com</a>>
very difficult<span class=""><br>
to use.<br>
><br>
> yep, it is difficult to use because it
have to follow company's policy<br>
> with unique emails and Keycloak do not
provide necessary support for<br>
> simple and user friendly account linking
currently ;-)<br>
><br>
<br>
Yeah, its not your fault. Its ours.<br>
<br>
<br>
--<br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
_______________________________________________<br>
keycloak-dev mailing list<br>
</span>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a>
<mailto:<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a>><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
<br>
<br>
</blockquote>
<div class="HOEnZb">
<div class="h5">
<br>
-- <br>
Bill Burke<br>
JBoss, a division of Red Hat<br>
<a moz-do-not-send="true"
href="http://bill.burkecentral.com"
rel="noreferrer" target="_blank">http://bill.burkecentral.com</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>