+1 for do it like this. It seems the biggest challenge is merging the
accounts. Not sure if it's better creating temporary user accounts or
rather keep all the state in ClientSession. It seems the both approaches
has pros and cons...
Do we want to support linking multiple accounts during single
authentication? It looks we should support it too to have all the things
covered properly. I mean the usecase like:
1) User is registered with username/password and email "john(a)gmail.com"
2) User clicks to "Sign in with Facebook" and authenticates. Keycloak
displays "There is already account with john(a)gmail.com. Do you want to
merge account?"
3) Now login screen is displayed again (IMO it should be without
Facebook button this time) and user click to "Sign in with Google"
4) Keycloak again displays "There is already account with
john(a)gmail.com. Do you want to merge account?"
5) Now login screen is displayed again (without both Facebook and Google
buttons) and user finally login with username/password . After
authentication is user john(a)gmail.com linked with both Facebok and Google
Marek
On 14.7.2015 11:22, Vlastimil Elias wrote:
+1000 for all of these improvements
On 14.7.2015 09:49, Stian Thorgersen wrote:
> We should improve the first login with identity provider flow as it's less than
elegant at the moment. Some of the suggestion below is how it already works and some not!
>
> The mechanism to detect existing accounts should include:
>
> * Username
> * Email
> * Firstname and lastname
>
> This needs to work both initially on the callback from the identity provider, but
also after the user has updated the profile. If an existing account is detected the user
should be given the option to do one of the following:
>
> * Cancel
> * Merge - this will require the user to authenticate as the existing user. Once
authenticated the attributes, roles and identity-provider links from the new user are
copied to the existing user (not overriding existing attributes/roles/links)
> * Continue - only if existing account is found by firstname and lastname
>
> For this to work it's probably easier to initially always create the account. To
get around the case where email is duplicated we can set that as an temporary attribute
rather than the email.
>
> We also need to make sure we can define what attributes are required for a user in a
realm, including validation of each attribute. If any of these attributes are missing the
user will have to update the profile.
>
> Finally, we should add a expires on a user account. If a user initiates the login
with an identity provider, but never completes the above actions (for example closes the
browser on the existing account screen, or the update profile screen) the account should
automatically be removed after a given time.
>
> With regards to required actions it should be possible to configure one or more
required actions for first login for a specific identity provider.
>
> It would be nice to nail down this flow once and for all! If we can all agree on the
flow, we can allocate someone to implement it for 1.5.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev