Re: [keycloak-dev] Linking social accounts

From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: "Stian Thorgersen" <stian(a)redhat.com&gt;, "Bill Burke" <bburke(a)redhat.com&gt; Cc: keycloak-dev(a)lists.jboss.org Sent: Monday, 10 March, 2014 3:33:59 PM Subject: Re: [keycloak-dev] Linking social accounts On 10.3.2014 15:13, Stian Thorgersen wrote: > > ----- Original Message ----- >> From: "Bill Burke" <bburke(a)redhat.com&gt; >> To: keycloak-dev(a)lists.jboss.org >> Sent: Monday, 10 March, 2014 1:01:41 PM >> Subject: Re: [keycloak-dev] Linking social accounts >> >> >> On 3/10/2014 6:02 AM, Marek Posolda wrote: >>> I've sent PR https://github.com/keycloak/keycloak/pull/275 for >>> linking/unlinking social accounts into already existing Keycloak user >>> account. >>> >>> I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354, >>> which will allow that administrator will be able to see, which social >>> networks are connected for user 'john'. We discussed with Stian that >>> read-only possibility for admin is probably sufficient (ie. admin can >>> just review that john is linked to Facebook and Google, but he doesn't >>> have possibility to remove this linking or add new linking of this user >>> to other social networks). >>> >>> There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334, >>> which means that users registered through social can't change their >>> passwords because changing password requires filling already existing >>> password and user 'john' doesn't have existing password when he >>> registered himself through Facebook... It seems that for user without >>> password, there should be possibility to skip the need to fill existing >>> password. Maybe there should be new model method like: >>> >> I think I submitted a similar bug to this in regards to "forgot password". > In the account management pages you need to provide the existing password. > The login pages will allow you to reset the password through a link in an > email without the password. > > The account management pages asks for this password to prevent hijacking an > account if someone forgets to logout from a shared machine. > >> I also want you to think about linking Social Accounts with existing >> Keycloak Accounts. I believe sso.jboss.org will want to do this as I >> think people will want to use their Github user accounts to log into >> jboss.org JIRA without having to redo permissions. This is what I did in my recent PR. So currently each user have new tab "social" in account management where he can link/unlink social networks with his account. He can obviously use just social networks configured for particular realm. Sorry that I did not describe it in my first mail. >> >> >>> boolean RealmModel hasPassword(UserModel user); >>> >>> or even more flexible: >>> >>> boolean RealmModel hasCredential(UserModel user,String credentialType); >>> >>> Not sure if this is sufficient though, because users registered through >>> social won't need to fill existing passwords, which could mean that >>> someone can hijack their session as Stian pointed.RootMongoConfigRe >>> >>> So I was also thinking if we can require that users will need to fill >>> their password if they are registered through social. Maybe some >>> administrators don't want this, but in fact many sites on Internet >>> requires this for Social registration and in fact that's what I did in >>> GateIn portal as well. >>> >> Why would a password be required for a social login? The whole point of >> a social login is to delegate authentication. I can see you maybe >> wanting to add 2-factor auth and other security constraints to a social >> login, but a password? no. > Someone may have initially started using social login, but later wants to > change to a regular login. To do so they would have to set a password. > Also, setting a password would allow someone a backup way of accessing > their account should the social network be done, they've lost their > account there, or for whatever other reason they can't use the social > login any more. > > The best user experience would come from having a set password option in > account management without requiring the 'current' password as it doesn't > exist. I think that's ok, but I'm a little bit worried about that allowing > someone to potentially hijack an account (see above). > >> >>> So I wonder if we shouldn't remove the realm boolean attribute >>> "updateProfileOnInitialSocialLogin" and add new attribute like >>> "socialRegistrationRequiredActions", which will contain array of >>> required actions after social registration. So for example: >>> - If administrator wants users to be registered automatically through >>> social without need to confirm anything, he can use empty array (same >>> like currently updateProfileOnInitialSocialLogin=false) >>> - If administrator wants users to confirm their attributes (firstName, >>> lastname, email...), he will just add action UPDATE_PROFILE (same like >>> currently updateProfileOnInitialSocialLogin=true) >>> - If administrator wants users to confirm attributes and also fill >>> password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this >>> array > I think that's a good idea. This would also be nice to have for standard > registrations as well. At the moment we have an on/off for validate > password, but it would be better to have two fields: > > - Actions on first login > - Actions on first social login > > These would be multi-select fields, same as we have for required fields on > a users account. yeah, I can create JIRA for these and assign myself the one for "social" login? I wonder if it's really not sufficient to provide the possibility of these required actions and address https://issues.jboss.org/browse/KEYCLOAK-334 just with this? I can imagine that: - some admins want users to always setup their password immediatelly after social login. So they can add UPDATE_PASSWORD to required actions - Other administrators may setup SMTP password, so people can use "forgot password" functionality if they want to setup/reset password. - Other administrators don't want users to use passwords at all if they decided to register with social networks as Bill mentioned. I can imagine that some administrator doesn't want to maintain user passwords at DB at all and he wants all users to be registered through some social network like Facebook

> >> >> I'd like to see an option for "Do you have an existing account? If so, >> please log in to link this account to your social account." > That would be nice, and we wanted to add some integration with the login > forms later. This time around it's been focused on the account management. > So you can add a social link to an existing account (doesn't matter if > that existing account uses standard password login, or social login). You > can also add as many as you want, so you can login to the same account > with username/password or any of the social providers we have. Possibility to link with existing KC account after successful social login seems to be much more tricky than linking/unlinking accounts in Account management when we know that user is already successfully logged in Keycloak. Example flow: 1) I want to login into Keycloak and I click to "Login with google" 2) After login in google as user &quot;john(a)gmail.com&quot; and after confirming permissions, I am redirected back to Keycloak. Now Keycloak asks me: Do you have an existing account? 3) I click to "yes" 4) Now what exactly should happen? IMO it should display login form again, but without "Login with google" button. The tricky thing is, that I am not yet logged in Keycloak, but I want to link existing Keycloak account with google account &quot;john(a)gmail.com&quot;. So it should allow me to login, but obviously now without possibility to "login with google". 5) Now user can click to "Login with Facebook", but again he doesn't have facebook account linked yet. So now it returns to step2. In the end, there could be something like recursive chain of 5 social networks to link during one login.

Maybe to simplify this, in step 4 it shouldn't be allowed to login with other social network, but just with password or TOTP? Marek > > >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev