Re: [keycloak-dev] Email constraint violation when updating profile

From: "Stian Thorgersen" <stian(a)redhat.com&gt; To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; Sent: Tuesday, January 6, 2015 11:25:45 AM Subject: Re: [keycloak-dev] Email constraint violation when updating profile ----- Original Message ----- > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > Sent: Tuesday, 6 January, 2015 2:14:21 PM > Subject: Re: [keycloak-dev] Email constraint violation when updating > profile > > ----- Original Message ----- > > From: "Stian Thorgersen" <stian(a)redhat.com&gt; > > To: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > Cc: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > Sent: Tuesday, January 6, 2015 9:53:56 AM > > Subject: Re: [keycloak-dev] Email constraint violation when updating > > profile > > > > This is a corner case and we can safely ignore it until someone complains > > about it. There are also already ways to work around it: > > > > 1) User logs into account console, removes the social/broker link, logs > > in > > to > > the other account and adds the social link > > 2) User talks to admin, admin deletes one account (or removes > > social/broker > > link), then user can link to existing account > > > > When we implemented linking of accounts in the first place me and Marek > > discussed this issue over and over. Whichever solution we came up with > > had > > issues, both technical and usability issues. So end of the day we decided > > that as there's a work around to it, and that it won't be a very common > > problem, we could safely ignore it. > > Not sure if you can safely ignore it. Users will get an ugly error on their > browser, instead of a proper error message. If you just check for a > duplicate email in > org.keycloak.services.resources.LoginActionsService#updateProfile, that > would be enough to avoid the error. And this is should be very simple. Agree it should be a proper error message. I didn't get that was the problem. It shouldn't check for duplicate email though, it should rely on db constraints as otherwise you can't guarantee it doesn't exist, but still an easy fix. Can you create a separate JIRA issue for it with and we'll fix for 1.1.0.Final?

> > > > > With regards to the proposed solution, that was one we visited, but it > > has > > several issues. Creating the user after doesn't work as we need to have > > somewhere to store the information and it would also add more complexity > > to > > required actions. Also, it doesn't work if update profile is not required > > on > > first login or if email is not required. In either of those cases you end > > up > > with at some point in the future the user may try to update the account > > with > > their email and get the same problem. > > Not really, the validation above should be enough. > > Still not convinced :) I understand the technical blockers, but they should > not be blockers to offer a better usability. > > From a business perspective, the workflow is wrong. You can not store the > user before getting the input from the user when update profile is enabled. > That is what you see around the web and what KC does partially. You can argue which workflow is better, but both are perfectly valid. There's nothing wrong with storing the user before update profile. If there's a update profile required action associated with the account the user is not able to use the account until the profile has been updated. Absolutely nothing wrong with the current flow, other than the potential of the user wanting to set an email address that already exists, which there are many other much simpler solutions to than what you are proposing. End of the day you'll provide the same error message to the user, so from a usability perspective there's no difference whether or not the it's stored in the db or not. > > > > > ----- Original Message ----- > > > From: "Pedro Igor Silva" <psilva(a)redhat.com&gt; > > > To: "keycloak dev" <keycloak-dev(a)lists.jboss.org&gt; > > > Sent: Tuesday, 6 January, 2015 12:33:30 PM > > > Subject: [keycloak-dev] Email constraint violation when updating > > > profile > > > > > > Hi, > > > > > > Would like to know your thoughts on KEYCLOAK-924 [1]. > > > > > > Looks like there is an issue with the "Update Profile" workflow > > > that > > > also > > > impacts social authentication and account linking. > > > > > > Regards. > > > Pedro Igor > > > > > > [1] https://issues.jboss.org/browse/KEYCLOAK-924 > > > _______________________________________________ > > > keycloak-dev mailing list > > > keycloak-dev(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > > > >