8:01 a.m.
On 3/10/2014 6:02 AM, Marek Posolda wrote:
I've sent PR https://github.com/keycloak/keycloak/pull/275 for
linking/unlinking social accounts into already existing Keycloak user
account.
I've created another JIRA https://issues.jboss.org/browse/KEYCLOAK-354,
which will allow that administrator will be able to see, which social
networks are connected for user 'john'. We discussed with Stian that
read-only possibility for admin is probably sufficient (ie. admin can
just review that john is linked to Facebook and Google, but he doesn't
have possibility to remove this linking or add new linking of this user
to other social networks).
There is also this bug https://issues.jboss.org/browse/KEYCLOAK-334,
which means that users registered through social can't change their
passwords because changing password requires filling already existing
password and user 'john' doesn't have existing password when he
registered himself through Facebook... It seems that for user without
password, there should be possibility to skip the need to fill existing
password. Maybe there should be new model method like:
I think I submitted a similar bug to this in regards to "forgot password".
I also want you to think about linking Social Accounts with existing
Keycloak Accounts. I believe sso.jboss.org will want to do this as I
think people will want to use their Github user accounts to log into
jboss.org JIRA without having to redo permissions.
boolean RealmModel hasPassword(UserModel user);
or even more flexible:
boolean RealmModel hasCredential(UserModel user,String credentialType);
Not sure if this is sufficient though, because users registered through social won't
need to fill existing passwords, which could mean that someone can hijack their session as
Stian pointed.
So I was also thinking if we can require that users will need to fill
their password if they are registered through social. Maybe some
administrators don't want this, but in fact many sites on Internet
requires this for Social registration and in fact that's what I did in
GateIn portal as well.
Why would a password be required for a social login? The whole point of
a social login is to delegate authentication. I can see you maybe
wanting to add 2-factor auth and other security constraints to a social
login, but a password? no.
So I wonder if we shouldn't remove the realm boolean attribute
"updateProfileOnInitialSocialLogin" and add new attribute like
"socialRegistrationRequiredActions", which will contain array of
required actions after social registration. So for example:
- If administrator wants users to be registered automatically through
social without need to confirm anything, he can use empty array (same
like currently updateProfileOnInitialSocialLogin=false)
- If administrator wants users to confirm their attributes (firstName,
lastname, email...), he will just add action UPDATE_PROFILE (same like
currently updateProfileOnInitialSocialLogin=true)
- If administrator wants users to confirm attributes and also fill
password, he will add both UPDATE_PROFILE and UPDATE_PASSWORD into this
array
I'd like to see an option for "Do you have an existing account? If so,
please log in to link this account to your social account."
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com