Ok, for now I can do it without possibility for automatic autolink
without re-authentication.
Marek
On 29/10/15 21:35, Stian Thorgersen wrote:
Linking accounts automatically is fine, but we should not have an
option that can do that without requiring users to authenticate first.
There are so many cases where a user could have one social account
compromised. They may not care that much about the account, they may
never use the service so they've completely forgotten about it.
Imagine the following scenario:
* Tom signed up for GMail in 2005 - figured it was great and continued
using the service the rest of his life
* Tom signed up for Twitter in 2005 - figured it was not to his taste
and never used the account again
* Tom now read about two factor auth and configured it on his GMail
account
* Mary (a bad person) figured that the password to Toms twitter
account was 'password' so she's gained access to Tom's Twitter - Tom
doesn't know, but he doesn't care either
* Tom signs up for a website that uses Keycloak and logs in with his
trusted GMail account
* Now if we let Mary login to the website that uses Keycloak with Toms
old Twitter account, without first proving she's Tom (which she
can't), would be just plain daft!
On 29 October 2015 at 06:37, Bill Burke <bburke(a)redhat.com
<mailto:bburke@redhat.com>> wrote:
On 10/29/2015 5:42 AM, Vlastimil Elias wrote:
>
>
> On 28.10.2015 21:32, Bill Burke wrote:
>> If a user has loads of social networks and links a bunch of
them, if
>> *any one* of them is compromised the entire account is compromised.
>> Most sites using social login, the only reason is there is a
login is
>> for the appliation to collect marketing data. So, the default
behavior
>> should make things as simple as possible for the user.
>>
>> At a minimum, by default, the user should not be required to
link an
>> account if there is a conflicting duplicate email given by the
provider.
>> I have found
develoeprs.redhat.com
<
http://develoeprs.redhat.com> very difficult to use.
>
> yep, it is difficult to use because it have to follow company's
policy
> with unique emails and Keycloak do not provide necessary support for
> simple and user friendly account linking currently ;-)
>
Yeah, its not your fault. Its ours.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev