-100. The default should be to create a duplicate account.
On 11/3/2015 7:18 AM, Stian Thorgersen wrote:
Sounds good
On 3 November 2015 at 12:24, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I have a prototype in progress, which I am going to present on
Thursday call. It's based on authentication SPI, so it's quite
flexible .
Current default behaviour is, when it detects duplicated email, it
displays the page with "Duplication detected. What do you want to
do?" Then user can:
- Go back and edit the profile. So user is not required to link
provider as long as he provides different unique email
- Link the provider. At this point, he need either to reauthenticate
by different way (password+otp or already linked identity provider)
or confirm the linking via email
Marek
On 03/11/15 09:31, Stian Thorgersen wrote:
> Would be even simpler for users if we just removed authentication
> completely and only had the username on the login form - we could
> just add a statement "only use your own username, we trust you to
> not try to login as someone else" ;)
>
> Seriously though - social accounts are hacked all the time and
> allowing this auto linking of accounts without requiring users to
> authenticate to the existing account is just plain scary.
>
> The solution to the use case you've given is not login with
> another social provider, it's having good account recovery options
> in place.
>
> On 30 October 2015 at 14:57, Bill Burke <bburke(a)redhat.com
> <mailto:bburke@redhat.com>> wrote:
>
> There's an alternative problem. Logs in with Twitter in
> 2005. Logs in again 2015 with Google. Is required to link
> with Twitter, says "screw it" because he doesn't remember his
> Twitter password and just closes his browser and doesn't use
> the website.
>
> I've been on really popular high-traffic sites where their
> google login was broken for months (
mmqb.si.com
> <
http://mmqb.si.com> which is an NFL website for Sports
> Illustrated). I used my Facebook identity instead. If I had
> been required to merge accounts manually, I would have not
> been able to use the site.
>
> On 10/29/2015 4:35 PM, Stian Thorgersen wrote:
>
> Linking accounts automatically is fine, but we should not
> have an option
> that can do that without requiring users to authenticate
> first.
>
> There are so many cases where a user could have one social
> account
> compromised. They may not care that much about the
> account, they may
> never use the service so they've completely forgotten
> about it.
>
> Imagine the following scenario:
>
> * Tom signed up for GMail in 2005 - figured it was great
> and continued
> using the service the rest of his life
> * Tom signed up for Twitter in 2005 - figured it was not
> to his taste
> and never used the account again
> * Tom now read about two factor auth and configured it on
> his GMail account
> * Mary (a bad person) figured that the password to Toms
> twitter account
> was 'password' so she's gained access to Tom's Twitter -
> Tom doesn't
> know, but he doesn't care either
> * Tom signs up for a website that uses Keycloak and logs
> in with his
> trusted GMail account
> * Now if we let Mary login to the website that uses
> Keycloak with Toms
> old Twitter account, without first proving she's Tom
> (which she can't),
> would be just plain daft!
>
> On 29 October 2015 at 06:37, Bill Burke
> <<mailto:bburke@redhat.com>bburke@redhat.com
> <mailto:bburke@redhat.com>
> <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
wrote:
>
>
>
> On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
> >
> >
> > On 28.10.2015 21:32, Bill Burke wrote:
> >> If a user has loads of social networks and links a
> bunch of them, if
> >> *any one* of them is compromised the entire account
> is compromised.
> >> Most sites using social login, the only reason is
> there is a login is
> >> for the appliation to collect marketing data. So,
> the default behavior
> >> should make things as simple as possible for the user.
> >>
> >> At a minimum, by default, the user should not be
> required to link an
> >> account if there is a conflicting duplicate email
> given by the provider.
> >> I have
founddeveloeprs.redhat.com
> <
http://founddeveloeprs.redhat.com>
> <
http://develoeprs.redhat.com> very difficult
> to use.
> >
> > yep, it is difficult to use because it have to
> follow company's policy
> > with unique emails and Keycloak do not provide
> necessary support for
> > simple and user friendly account linking currently ;-)
> >
>
> Yeah, its not your fault. Its ours.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
> <mailto:keycloak-dev@lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
>
>
>
> _______________________________________________ keycloak-dev
> mailing list keycloak-dev(a)lists.jboss.org
> <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev